Merge remote-tracking branch 'origin/master' into topic/johanna/ssl-resumption

testing/btest/Baseline/core.pcap.dumper/output

@@ -0,0 +1 @@
+00000010  ff ff 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  | |	00000010  00 20 00 00 01 00 00 00  1d a2 b2 4e 73 00 07 00  |

testing/btest/Baseline/core.pcap.dynamic-filter/conn.log

@@ -0,0 +1,25 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-08-24-15-51-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
+1300475168.853899	CCvvfg3TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+1300475168.854378	CsRx2w45OKnoww6xl4	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
+1300475168.854837	CRJuHdVW0XPVINV8a	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
+1300475168.857956	CPbrpk1qSsw6ESzHV4	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+1300475168.858306	C6pKV8GSxOnSLghOa	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	(empty)
+1300475168.858713	CIPOse170MGiRM1Qf4	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	(empty)
+1300475168.891644	C7XEbhP654jzLoe3a	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+1300475168.892037	CJ3xTn1c4Zw9TmAE05	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	(empty)
+1300475168.892414	CMXxB5GvmoxJFXdTa	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	(empty)
+1300475168.893988	Caby8b1slFea8xwSmb	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+1300475168.894422	Che1bq3i2rO3KD1Syg	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	(empty)
+1300475168.894787	C3SfNE4BWaU4aSuwkc	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	(empty)
+1300475168.901749	CEle3f3zno26fFZkrh	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	(empty)
+1300475168.902195	CwSkQu4eWZCH7OONC1	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	(empty)
+1300475168.652003	CjhGID4nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	0	D	1	515	0	0	(empty)
+#close	2014-08-24-15-51-55

testing/btest/Baseline/core.pcap.dynamic-filter/output

@@ -0,0 +1,30 @@
+1, [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp]
+2, [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
+3, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp]
+4, [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp]
+5, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp]
+6, [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp]
+7, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp]
+8, [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp]
+9, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp]
+10, [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp]
+11, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp]
+12, [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp]
+13, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp]
+14, [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp]
+15, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp]
+16, [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp]
+17, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp]
+18, [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp]
+19, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp]
+20, [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp]
+21, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp]
+22, [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp]
+23, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp]
+24, [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp]
+25, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp]
+26, [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp]
+27, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp]
+28, [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp]
+29, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp]
+30, [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp]

testing/btest/Baseline/core.pcap.filter-error/output

@@ -0,0 +1,3 @@
+fatal error in /home/robin/bro/master/scripts/base/frameworks/packet-filter/./main.bro, line 282: Bad pcap filter 'kaputt'
+----
+error, cannot compile BPF filter "kaputt, too"

testing/btest/Baseline/core.pcap.input-error/output2

@@ -0,0 +1,2 @@
+fatal error: problem with interface NO_SUCH_INTERFACE 
+fatal error: problem with trace file NO_SUCH_TRACE (NO_SUCH_TRACE: No such file or directory)

testing/btest/Baseline/core.pcap.pseudo-realtime/output

@@ -0,0 +1 @@
+real time matches trace time

testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-08-23-18-29-48
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1300475168.892936	CXWv6p3arKYeMETxOg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	(empty)
+#close	2014-08-23-18-29-48

testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#open	2014-08-23-18-29-48
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1408818588.510297	bro	port 50000	T	T
+#close	2014-08-23-18-29-48

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-05-15-14-10-48
+#open	2014-09-06-01-19-42
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,6 +14,39 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+  scripts/base/frameworks/logging/__load__.bro
+    scripts/base/frameworks/logging/main.bro
+      build/scripts/base/bif/logging.bif.bro
+    scripts/base/frameworks/logging/postprocessors/__load__.bro
+      scripts/base/frameworks/logging/postprocessors/scp.bro
+      scripts/base/frameworks/logging/postprocessors/sftp.bro
+    scripts/base/frameworks/logging/writers/ascii.bro
+    scripts/base/frameworks/logging/writers/sqlite.bro
+    scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/input/__load__.bro
+    scripts/base/frameworks/input/main.bro
+      build/scripts/base/bif/input.bif.bro
+    scripts/base/frameworks/input/readers/ascii.bro
+    scripts/base/frameworks/input/readers/raw.bro
+    scripts/base/frameworks/input/readers/benchmark.bro
+    scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/sqlite.bro
+  scripts/base/frameworks/analyzer/__load__.bro
+    scripts/base/frameworks/analyzer/main.bro
+      scripts/base/frameworks/packet-filter/utils.bro
+      build/scripts/base/bif/analyzer.bif.bro
+  scripts/base/frameworks/files/__load__.bro
+    scripts/base/frameworks/files/main.bro
+      build/scripts/base/bif/file_analysis.bif.bro
+      scripts/base/utils/site.bro
+        scripts/base/utils/patterns.bro
+    scripts/base/frameworks/files/magic/__load__.bro
+  build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/broxygen.bif.bro
+    build/scripts/base/bif/pcap.bif.bro
+    build/scripts/base/bif/bloom-filter.bif.bro
+    build/scripts/base/bif/cardinality-counter.bif.bro
+    build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -71,40 +104,14 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
-  scripts/base/frameworks/logging/__load__.bro
-    scripts/base/frameworks/logging/main.bro
-      build/scripts/base/bif/logging.bif.bro
-    scripts/base/frameworks/logging/postprocessors/__load__.bro
-      scripts/base/frameworks/logging/postprocessors/scp.bro
-      scripts/base/frameworks/logging/postprocessors/sftp.bro
-    scripts/base/frameworks/logging/writers/ascii.bro
-    scripts/base/frameworks/logging/writers/dataseries.bro
-    scripts/base/frameworks/logging/writers/sqlite.bro
-    scripts/base/frameworks/logging/writers/elasticsearch.bro
-    scripts/base/frameworks/logging/writers/none.bro
-  scripts/base/frameworks/input/__load__.bro
-    scripts/base/frameworks/input/main.bro
-      build/scripts/base/bif/input.bif.bro
-    scripts/base/frameworks/input/readers/ascii.bro
-    scripts/base/frameworks/input/readers/raw.bro
-    scripts/base/frameworks/input/readers/benchmark.bro
-    scripts/base/frameworks/input/readers/binary.bro
-    scripts/base/frameworks/input/readers/sqlite.bro
-  scripts/base/frameworks/analyzer/__load__.bro
-    scripts/base/frameworks/analyzer/main.bro
-      scripts/base/frameworks/packet-filter/utils.bro
-      build/scripts/base/bif/analyzer.bif.bro
-  scripts/base/frameworks/files/__load__.bro
-    scripts/base/frameworks/files/main.bro
-      build/scripts/base/bif/file_analysis.bif.bro
-      scripts/base/utils/site.bro
-        scripts/base/utils/patterns.bro
-    scripts/base/frameworks/files/magic/__load__.bro
-  build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/bloom-filter.bif.bro
-    build/scripts/base/bif/cardinality-counter.bif.bro
-    build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/broxygen.bif.bro
+    build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
+    build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
+    build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
+    build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
+    build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
+    build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro
+    build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2014-05-15-14-10-48
+#close	2014-09-06-01-19-42

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-05-15-14-12-26
+#open	2014-09-06-01-20-32
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -14,6 +14,39 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/reporter.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+  scripts/base/frameworks/logging/__load__.bro
+    scripts/base/frameworks/logging/main.bro
+      build/scripts/base/bif/logging.bif.bro
+    scripts/base/frameworks/logging/postprocessors/__load__.bro
+      scripts/base/frameworks/logging/postprocessors/scp.bro
+      scripts/base/frameworks/logging/postprocessors/sftp.bro
+    scripts/base/frameworks/logging/writers/ascii.bro
+    scripts/base/frameworks/logging/writers/sqlite.bro
+    scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/input/__load__.bro
+    scripts/base/frameworks/input/main.bro
+      build/scripts/base/bif/input.bif.bro
+    scripts/base/frameworks/input/readers/ascii.bro
+    scripts/base/frameworks/input/readers/raw.bro
+    scripts/base/frameworks/input/readers/benchmark.bro
+    scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/sqlite.bro
+  scripts/base/frameworks/analyzer/__load__.bro
+    scripts/base/frameworks/analyzer/main.bro
+      scripts/base/frameworks/packet-filter/utils.bro
+      build/scripts/base/bif/analyzer.bif.bro
+  scripts/base/frameworks/files/__load__.bro
+    scripts/base/frameworks/files/main.bro
+      build/scripts/base/bif/file_analysis.bif.bro
+      scripts/base/utils/site.bro
+        scripts/base/utils/patterns.bro
+    scripts/base/frameworks/files/magic/__load__.bro
+  build/scripts/base/bif/__load__.bro
+    build/scripts/base/bif/broxygen.bif.bro
+    build/scripts/base/bif/pcap.bif.bro
+    build/scripts/base/bif/bloom-filter.bif.bro
+    build/scripts/base/bif/cardinality-counter.bif.bro
+    build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
@@ -71,40 +104,14 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
-  scripts/base/frameworks/logging/__load__.bro
-    scripts/base/frameworks/logging/main.bro
-      build/scripts/base/bif/logging.bif.bro
-    scripts/base/frameworks/logging/postprocessors/__load__.bro
-      scripts/base/frameworks/logging/postprocessors/scp.bro
-      scripts/base/frameworks/logging/postprocessors/sftp.bro
-    scripts/base/frameworks/logging/writers/ascii.bro
-    scripts/base/frameworks/logging/writers/dataseries.bro
-    scripts/base/frameworks/logging/writers/sqlite.bro
-    scripts/base/frameworks/logging/writers/elasticsearch.bro
-    scripts/base/frameworks/logging/writers/none.bro
-  scripts/base/frameworks/input/__load__.bro
-    scripts/base/frameworks/input/main.bro
-      build/scripts/base/bif/input.bif.bro
-    scripts/base/frameworks/input/readers/ascii.bro
-    scripts/base/frameworks/input/readers/raw.bro
-    scripts/base/frameworks/input/readers/benchmark.bro
-    scripts/base/frameworks/input/readers/binary.bro
-    scripts/base/frameworks/input/readers/sqlite.bro
-  scripts/base/frameworks/analyzer/__load__.bro
-    scripts/base/frameworks/analyzer/main.bro
-      scripts/base/frameworks/packet-filter/utils.bro
-      build/scripts/base/bif/analyzer.bif.bro
-  scripts/base/frameworks/files/__load__.bro
-    scripts/base/frameworks/files/main.bro
-      build/scripts/base/bif/file_analysis.bif.bro
-      scripts/base/utils/site.bro
-        scripts/base/utils/patterns.bro
-    scripts/base/frameworks/files/magic/__load__.bro
-  build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/bloom-filter.bif.bro
-    build/scripts/base/bif/cardinality-counter.bif.bro
-    build/scripts/base/bif/top-k.bif.bro
-    build/scripts/base/bif/broxygen.bif.bro
+    build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
+    build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
+    build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
+    build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
+    build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
+    build/scripts/base/bif/plugins/Bro_NoneWriter.none.bif.bro
+    build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/base/init-default.bro
   scripts/base/utils/active-http.bro
     scripts/base/utils/exec.bro
@@ -236,4 +243,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-05-15-14-12-26
+#close	2014-09-06-01-20-32

testing/btest/Baseline/coverage.find-bro-logs/out

@@ -0,0 +1,42 @@
+app_stats
+barnyard2
+capture_loss
+cluster
+communication
+conn
+dhcp
+dnp3
+dns
+dpd
+files
+ftp
+http
+intel
+irc
+known_certs
+known_devices
+known_hosts
+known_modbus
+known_services
+loaded_scripts
+modbus
+modbus_register_change
+notice
+notice_alarm
+packet_filter
+radius
+reporter
+signatures
+smtp
+snmp
+socks
+software
+ssh
+ssl
+stats
+syslog
+traceroute
+tunnel
+unified2
+weird
+x509

testing/btest/Baseline/doc.broxygen.command_line/output

@@ -0,0 +1 @@
+10

testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1

@@ -7,6 +7,6 @@
       # bro data_struct_vector_declaration.bro
       contents of v1: [1, 2, 3, 4]
       length of v1: 4
-      contents of v1: [1, 2, 3, 4]
+      contents of v2: [1, 2, 3, 4]
       length of v2: 4
 

testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1

@@ -6,6 +6,6 @@
 
       # bro data_type_pattern_01.bro
       The 
-       brown fox jumped over the 
+       brown fox jumps over the 
        dog.
 

testing/btest/Baseline/language.outer_param_binding/out

@@ -0,0 +1,3 @@
+error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (c)
+error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 16: referencing outer function IDs not supported (d)
+error in /home/robin/bro/master/testing/btest/.tmp/language.outer_param_binding/outer_param_binding.bro, line 17: referencing outer function IDs not supported (b)

testing/btest/Baseline/plugins.api-version-mismatch/output

@@ -1 +1 @@
-fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/Demo-Foo.linux-x86_64.so)
+fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/master/testing/btest/.tmp/plugins.api-version-mismatch//lib/XXX)

testing/btest/Baseline/plugins.bifs-and-scripts-install/output

@@ -1,6 +1,6 @@
 Demo::Foo - <Insert description> (dynamic, version 1.0)
-    [Event] plugin_event
     [Function] hello_plugin_world
+    [Event] plugin_event
 
 plugin: automatically loaded at startup
 calling bif, Hello from the plugin!

testing/btest/Baseline/plugins.bifs-and-scripts/output

@@ -1,6 +1,6 @@
 Demo::Foo - <Insert description> (dynamic, version 1.0)
-    [Event] plugin_event
     [Function] hello_plugin_world
+    [Event] plugin_event
 
 ===
 plugin: automatically loaded at startup

testing/btest/Baseline/plugins.hooks/output

@@ -182,7 +182,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
@@ -273,8 +273,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
@@ -316,7 +316,11 @@
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
@@ -347,16 +351,20 @@
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NetFlow.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMTP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SNMP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SNMP.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
@@ -380,21 +388,20 @@
 0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./contents) -> -1
 0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
 0.000000   MetaHookPost  LoadFile(./entities) -> -1
 0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./exec) -> -1
 0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
 0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
+0.000000   MetaHookPost  LoadFile(./hooks.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./inactivity) -> -1
 0.000000   MetaHookPost  LoadFile(./info) -> -1
+0.000000   MetaHookPost  LoadFile(./init.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./input) -> -1
 0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./last) -> -1
@@ -408,6 +415,7 @@
 0.000000   MetaHookPost  LoadFile(./netstats) -> -1
 0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
 0.000000   MetaHookPost  LoadFile(./patterns) -> -1
+0.000000   MetaHookPost  LoadFile(./pcap.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./plugins) -> -1
 0.000000   MetaHookPost  LoadFile(./polling) -> -1
 0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
@@ -432,9 +440,7 @@
 0.000000   MetaHookPost  LoadFile(.<...>/ascii) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/benchmark) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/binary) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/dataseries) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/drop) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/elasticsearch) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/email_admin) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/hostnames) -> -1
 0.000000   MetaHookPost  LoadFile(.<...>/none) -> -1
@@ -699,7 +705,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
@@ -790,8 +796,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
@@ -833,7 +839,11 @@
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_BinaryReader.binary.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
@@ -864,16 +874,20 @@
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NetFlow.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMTP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SMTP.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SNMP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SNMP.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SOCKS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SQLiteReader.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
@@ -897,21 +911,20 @@
 0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
 0.000000   MetaHookPre   LoadFile(./const.bif.bro)
 0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts.bif.bro)
 0.000000   MetaHookPre   LoadFile(./consts.bro)
 0.000000   MetaHookPre   LoadFile(./contents)
 0.000000   MetaHookPre   LoadFile(./dcc-send)
 0.000000   MetaHookPre   LoadFile(./entities)
 0.000000   MetaHookPre   LoadFile(./event.bif.bro)
-0.000000   MetaHookPre   LoadFile(./events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./exec)
 0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
 0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./gridftp)
 0.000000   MetaHookPre   LoadFile(./hll_unique)
+0.000000   MetaHookPre   LoadFile(./hooks.bif.bro)
 0.000000   MetaHookPre   LoadFile(./inactivity)
 0.000000   MetaHookPre   LoadFile(./info)
+0.000000   MetaHookPre   LoadFile(./init.bro)
 0.000000   MetaHookPre   LoadFile(./input)
 0.000000   MetaHookPre   LoadFile(./input.bif.bro)
 0.000000   MetaHookPre   LoadFile(./last)
@@ -925,6 +938,7 @@
 0.000000   MetaHookPre   LoadFile(./netstats)
 0.000000   MetaHookPre   LoadFile(./non-cluster)
 0.000000   MetaHookPre   LoadFile(./patterns)
+0.000000   MetaHookPre   LoadFile(./pcap.bif.bro)
 0.000000   MetaHookPre   LoadFile(./plugins)
 0.000000   MetaHookPre   LoadFile(./polling)
 0.000000   MetaHookPre   LoadFile(./postprocessors)
@@ -949,9 +963,7 @@
 0.000000   MetaHookPre   LoadFile(.<...>/ascii)
 0.000000   MetaHookPre   LoadFile(.<...>/benchmark)
 0.000000   MetaHookPre   LoadFile(.<...>/binary)
-0.000000   MetaHookPre   LoadFile(.<...>/dataseries)
 0.000000   MetaHookPre   LoadFile(.<...>/drop)
-0.000000   MetaHookPre   LoadFile(.<...>/elasticsearch)
 0.000000   MetaHookPre   LoadFile(.<...>/email_admin)
 0.000000   MetaHookPre   LoadFile(.<...>/hostnames)
 0.000000   MetaHookPre   LoadFile(.<...>/none)
@@ -1216,7 +1228,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1307,8 +1319,8 @@
 0.000000 | HookCallFunction Log::create_stream(Unified2::LOG, [columns=<no value description>, ev=Unified2::log_unified2])
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1405981560.501473, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1412721129.083128, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -1520,10 +1532,20 @@
 1362692527.008509   MetaHookPre   UpdateNetworkTime(1362692527.008509)
 1362692527.008509  | HookUpdateNetworkTime 1362692527.008509
 1362692527.008509 | HookDrainEvents
+1362692527.009512   MetaHookPost  CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <null>
@@ -1535,7 +1557,13 @@
 1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <null>
 1362692527.009512   MetaHookPost  CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
+1362692527.009512   MetaHookPost  CallFunction(split_all, (HTTP, <...>/)) -> <null>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
@@ -1548,10 +1576,20 @@
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
+1362692527.009512   MetaHookPre   CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0]))
+1362692527.009512   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
+1362692527.009512   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
 1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
@@ -1563,7 +1601,13 @@
 1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
 1362692527.009512   MetaHookPre   CallFunction(http_reply, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
+1362692527.009512   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
+1362692527.009512   MetaHookPre   CallFunction(split_all, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
@@ -1577,10 +1621,20 @@
 1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
+1362692527.009512 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])
+1362692527.009512 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
 1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
+1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
@@ -1592,7 +1646,13 @@
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
 1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
+1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
+1362692527.009512 | HookCallFunction split_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
@@ -1604,60 +1664,12 @@
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
 1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-1362692527.009721   MetaHookPost  CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
-1362692527.009721   MetaHookPost  CallFunction(split_all, (HTTP, <...>/)) -> <null>
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
-1362692527.009721   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009721   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009721   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
-1362692527.009721   MetaHookPre   CallFunction(Files::__add_analyzers_for_mime_type, (FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0]))
-1362692527.009721   MetaHookPre   CallFunction(Files::add_analyzers_for_mime_type, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(Files::set_info, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009721   MetaHookPre   CallFunction(file_new, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   CallFunction(file_over_new_connection, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(fmt, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009721   MetaHookPre   CallFunction(get_file_handle, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   CallFunction(id_string, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
-1362692527.009721   MetaHookPre   CallFunction(set_file_handle, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009721   MetaHookPre   CallFunction(split_all, (HTTP, <...>/))
 1362692527.009721   MetaHookPre   DrainEvents()
-1362692527.009721   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009721   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009721   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009721   MetaHookPre   UpdateNetworkTime(1362692527.009721)
 1362692527.009721  | HookUpdateNetworkTime 1362692527.009721
-1362692527.009721 | HookCallFunction Files::__add_analyzers_for_mime_type(FakNcS1Jfe01uljb3, text/plain, [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=0])
-1362692527.009721 | HookCallFunction Files::add_analyzers_for_mime_type([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain)
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009721 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009721 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
-1362692527.009721 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009721 | HookCallFunction split_all(HTTP, <...>/)
 1362692527.009721 | HookDrainEvents
-1362692527.009721 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], info=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009721 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009721 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009765   MetaHookPost  DrainEvents() -> <void>
 1362692527.009765   MetaHookPost  UpdateNetworkTime(1362692527.009765) -> <void>
 1362692527.009765   MetaHookPre   DrainEvents()
@@ -1668,11 +1680,11 @@
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, (200, 100, 199)) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
-1362692527.009775   MetaHookPost  CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
+1362692527.009775   MetaHookPost  CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <null>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])) -> <null>
@@ -1700,11 +1712,11 @@
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, (200, 100, 199))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F))
-1362692527.009775   MetaHookPre   CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::__write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::default_path_func, (HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
-1362692527.009775   MetaHookPre   CallFunction(Log::write, (Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
+1362692527.009775   MetaHookPre   CallFunction(Log::write, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, (HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]))
@@ -1733,11 +1745,11 @@
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
 1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1], irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, F)
-1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::default_path_func(Files::LOG, , [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::default_path_func(HTTP::LOG, , [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
-1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009721, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=53.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
+1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CXWv6p3arKYeMETxOg}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>])

testing/btest/Baseline/plugins.pktdumper/output

@@ -0,0 +1,12 @@
+Demo::Foo - A Foo packet dumper (dynamic, version 1.0)
+    [Packet Dumper] FooPktDumper (dumper prefix: "foo")
+
+===
+Dumping to XXX: 1373858797.646968 len 94
+Dumping to XXX: 1373858797.646998 len 94
+Dumping to XXX: 1373858797.647041 len 86
+Dumping to XXX: 1373858797.647147 len 98
+Dumping to XXX: 1373858797.647186 len 86
+Dumping to XXX: 1373858797.647250 len 86
+Dumping to XXX: 1373858797.647317 len 86
+Dumping to XXX: 1373858797.647350 len 86

testing/btest/Baseline/plugins.pktsrc/conn.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-09-04-18-06-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1409193037.000000	CXWv6p3arKYeMETxOg	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	0	S	1	64	0	0	(empty)
+#close	2014-09-04-18-06-05

testing/btest/Baseline/plugins.reader/out

@@ -0,0 +1,10 @@
+Input::EVENT_NEW
+^)kHV32-J_
+Input::EVENT_NEW
+(s[Q8J4Pu4
+Input::EVENT_NEW
++3iDbOB}kq
+Input::EVENT_NEW
+tz9dFehHz)
+Input::EVENT_NEW
+d&@3g)NljG

testing/btest/Baseline/plugins.reader/output

@@ -0,0 +1,4 @@
+Demo::Foo - A Foo test input reader (dynamic, version 1.0)
+    [Writer] Foo (Input::READER_FOO)
+
+===

testing/btest/Baseline/plugins.writer/output

@@ -0,0 +1,22 @@
+Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
+    [Writer] Foo (Log::WRITER_FOO)
+
+===
+[conn] 1340213005.165293|CXWv6p3arKYeMETxOg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|0|S|5|320|0|0|
+[conn] 1340213010.582723|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|tcp|http,socks|13.839419|3860|2934|SF|-|0|ShADadfF|23|5080|20|3986|
+[conn] 1340213048.780152|CCvvfg3TEfuqmmG4bh|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[conn] 1340213097.272764|CsRx2w45OKnoww6xl4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[conn] 1340213162.160367|CRJuHdVW0XPVINV8a|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[conn] 1340213226.561757|CPbrpk1qSsw6ESzHV4|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[conn] 1340213290.981995|C6pKV8GSxOnSLghOa|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|0|F|1|52|0|0|
+[files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|CjhGID4nQcgTWjvg4c|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-
+[http] 1340213019.013158|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[http] 1340213019.013426|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[http] 1340213019.580162|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|3|GET|www.osnews.com|/images/icons/9.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[http] 1340213020.155861|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|4|GET|www.osnews.com|/images/icons/26.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|1368|200|OK|-|-|-||-|-|-|-|-|FBtZ7y1ppK8iIeY622|image/gif
+[http] 1340213020.732963|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[http] 1340213021.300269|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[http] 1340213021.861584|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-|-||-|-|-|-|-|-|-
+[packet_filter] 1412721099.419280|bro|ip or not ip|T|T
+[socks] 1340213015.276495|CjhGID4nQcgTWjvg4c|10.0.0.55|53994|60.190.189.214|8124|5|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
+[tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER

testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out

@@ -5,18 +5,14 @@ FILE_BOF_BUFFER
 MIME_TYPE
 text/plain
 FILE_OVER_NEW_CONNECTION
-file_stream, file #0, 1500, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
-file_chunk, file #0, 1500, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
-file_stream, file #0, 1024, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
-file_chunk, file #0, 1024, 1500, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
-file_stream, file #0, 476, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tools/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
-file_chunk, file #0, 476, 2524, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tools/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
-file_stream, file #0, 1024, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
-file_chunk, file #0, 1024, 3000, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
-file_stream, file #0, 476,  now links against thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
-file_chunk, file #0, 476, 4024,  now links against thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
-file_stream, file #0, 205, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
-file_chunk, file #0, 205, 4500, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
+file_stream, file #0, 1146, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
+file_chunk, file #0, 1146, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
+file_stream, file #0, 1448,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-release script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices format for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
+file_chunk, file #0, 1448, 1146,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-release script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices format for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
+file_stream, file #0, 1448, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+file_chunk, file #0, 1448, 2594, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+file_stream, file #0, 663,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
+file_chunk, file #0, 663, 4042,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
 FILE_STATE_REMOVE
 file #0, 4705, 0
 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]

testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2014-07-21-14-26-07
+#open	2014-09-08-21-50-32
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009721	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CXWv6p3arKYeMETxOg	HTTP	0	MD5	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	-	-	-
-#close	2014-07-21-14-26-07
+1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CXWv6p3arKYeMETxOg	HTTP	0	MD5	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	-	-	-
+#close	2014-09-08-21-50-32

testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/1-file

@@ -1 +1 @@
-test
+test

testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/2-file

@@ -1 +1 @@
-test2
+test2

testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/3-file

@@ -1 +1 @@
-test3
+test3

testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out

@@ -1,39 +1,39 @@
 FILE_NEW
 file #0, 0, 0
 FILE_BOF_BUFFER
-test^M^J
+test
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
-file #0, 6, 0
+file #0, 4, 0
 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
 source: HTTP
-MD5: 9f06243abcb89c70e0c331c61d871fa7
-SHA1: fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
-SHA256: 837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
+MD5: 098f6bcd4621d373cade4e832627b4f6
+SHA1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
+SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
 FILE_NEW
 file #1, 0, 0
 FILE_BOF_BUFFER
-test2^M^J
+test2
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
-file #1, 7, 0
+file #1, 5, 0
 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
 source: HTTP
-MD5: d68af81ef370b3873d50f09140068810
-SHA1: 51a7b6f2d91f6a87822dc04560f2972bc14fc97e
-SHA256: de0edd0ac4a705aff70f34734e90a1d0a1d8b76abe4bb53f3ea934bc105b3b17
+MD5: ad0234829205b9033196ba818f7a872b
+SHA1: 109f4b3c50d7b0df729d299bc6f8e9ef9066971f
+SHA256: 60303ae22b998861bce3b28f33eec1be758a213c86c93c076dbe9f558c11c752
 FILE_NEW
 file #2, 0, 0
 FILE_BOF_BUFFER
-test3^M^J
+test3
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
-file #2, 7, 0
+file #2, 5, 0
 [orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
 source: HTTP
-MD5: 1a3d75d44753ad246f0bd333cdaf08b0
-SHA1: 4f98809ab09272dfcc58266e3f23ae2393f70e76
-SHA256: 018c67a2c30ed9977e1dddfe98cac542165dac355cf9764c91a362613e752933
+MD5: 8ad8757baa8564dc136c1e07507f4a98
+SHA1: 3ebfa301dc59196f18593c45e519287a23297589
+SHA256: fd61a03af4f77d870fc21e05e7e80678095c92d808cfb3b5c279ee04c74aca13
 FILE_NEW
 file #3, 0, 0
 FILE_BOF_BUFFER

testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2014-04-01-23-13-35
+#open	2014-09-08-21-55-01
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009721	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CXWv6p3arKYeMETxOg	HTTP	0	SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	FakNcS1Jfe01uljb3-file
-#close	2014-04-01-23-13-35
+1362692527.009512	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CXWv6p3arKYeMETxOg	HTTP	0	SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000263	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	FakNcS1Jfe01uljb3-file
+#close	2014-09-08-21-55-01

testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out

@@ -6,12 +6,12 @@ MIME_TYPE
 text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
-file #0, 79, 0
+file #0, 77, 0
 [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
 source: SMTP
-MD5: 92bca2e6cdcde73647125da7dccbdd07
-SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13
-SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5
+MD5: 58aff3af22807bc5f4b6357c0038256c
+SHA1: c39dc8cd0f8d8b1f7fc8b362c41e69fdf20f668a
+SHA256: 8d057f3af311c20675eea767a9df5fa31ff3597c6d5d50fd0cdc34766c40204d
 FILE_NEW
 file #1, 0, 0
 FILE_BOF_BUFFER

testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/thefile0

@@ -10,4 +10,3 @@ Find the attachment
 
 GPS
 
-

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-04-01-23-13-48
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
-1396394028.821227	-	-	-	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-1
-#close	2014-04-01-23-13-58
+#open	2014-09-23-16-13-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
+1411488819.555114	-	-	-	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	worker-1
+#close	2014-09-23-16-13-49

testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-04-01-23-14-04
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
-1396394044.377145	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	source1
-1396394044.377145	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	source1
-#close	2014-04-01-23-14-04
+#open	2014-09-23-16-14-49
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
+1411488889.571819	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	bro	source1
+1411488889.571819	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	source1
+#close	2014-09-23-16-14-49

testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2014-04-01-23-14-12
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
-1396394052.512481	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
-1396394052.512481	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
-1396394053.554897	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
-1396394053.554897	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
-#close	2014-04-01-23-14-21
+#open	2014-09-23-16-15-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
+1411488900.900403	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-1	source1
+1411488900.900403	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-1	source1
+1411488901.923543	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	worker-2	source1
+1411488901.923543	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	worker-2	source1
+#close	2014-09-23-16-15-09

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.options/ssh.ds.xml

@@ -1,16 +0,0 @@
-<ExtentType name="ssh" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-	<field type="variable32" name="status" pack_unique="yes"/>
-	<field type="variable32" name="country" pack_unique="yes"/>
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-<!-- status : string -->
-<!-- country : string -->

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.rotate/out

@@ -1,290 +0,0 @@
-test.2011-03-07-03-00-05.ds test 11-03-07_03.00.05 11-03-07_04.00.05 0 dataseries
-test.2011-03-07-04-00-05.ds test 11-03-07_04.00.05 11-03-07_05.00.05 0 dataseries
-test.2011-03-07-05-00-05.ds test 11-03-07_05.00.05 11-03-07_06.00.05 0 dataseries
-test.2011-03-07-06-00-05.ds test 11-03-07_06.00.05 11-03-07_07.00.05 0 dataseries
-test.2011-03-07-07-00-05.ds test 11-03-07_07.00.05 11-03-07_08.00.05 0 dataseries
-test.2011-03-07-08-00-05.ds test 11-03-07_08.00.05 11-03-07_09.00.05 0 dataseries
-test.2011-03-07-09-00-05.ds test 11-03-07_09.00.05 11-03-07_10.00.05 0 dataseries
-test.2011-03-07-10-00-05.ds test 11-03-07_10.00.05 11-03-07_11.00.05 0 dataseries
-test.2011-03-07-11-00-05.ds test 11-03-07_11.00.05 11-03-07_12.00.05 0 dataseries
-test.2011-03-07-12-00-05.ds test 11-03-07_12.00.05 11-03-07_12.59.55 1 dataseries
-> test.2011-03-07-03-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299466805.000000 10.0.0.1 20 10.0.0.2 1024
-1299470395.000000 10.0.0.2 20 10.0.0.3 0
-> test.2011-03-07-04-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299470405.000000 10.0.0.1 20 10.0.0.2 1025
-1299473995.000000 10.0.0.2 20 10.0.0.3 1
-> test.2011-03-07-05-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299474005.000000 10.0.0.1 20 10.0.0.2 1026
-1299477595.000000 10.0.0.2 20 10.0.0.3 2
-> test.2011-03-07-06-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299477605.000000 10.0.0.1 20 10.0.0.2 1027
-1299481195.000000 10.0.0.2 20 10.0.0.3 3
-> test.2011-03-07-07-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299481205.000000 10.0.0.1 20 10.0.0.2 1028
-1299484795.000000 10.0.0.2 20 10.0.0.3 4
-> test.2011-03-07-08-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299484805.000000 10.0.0.1 20 10.0.0.2 1029
-1299488395.000000 10.0.0.2 20 10.0.0.3 5
-> test.2011-03-07-09-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299488405.000000 10.0.0.1 20 10.0.0.2 1030
-1299491995.000000 10.0.0.2 20 10.0.0.3 6
-> test.2011-03-07-10-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299492005.000000 10.0.0.1 20 10.0.0.2 1031
-1299495595.000000 10.0.0.2 20 10.0.0.3 7
-> test.2011-03-07-11-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299495605.000000 10.0.0.1 20 10.0.0.2 1032
-1299499195.000000 10.0.0.2 20 10.0.0.3 8
-> test.2011-03-07-12-00-05.ds
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="test" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-
-# Extent, type='test'
-t id.orig_h id.orig_p id.resp_h id.resp_p
-1299499205.000000 10.0.0.1 20 10.0.0.2 1033
-1299502795.000000 10.0.0.2 20 10.0.0.3 9

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.test-logging/ssh.ds.txt

@@ -1,34 +0,0 @@
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="ssh" version="1.0" namespace="bro.org">
-	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-	<field type="variable32" name="status" pack_unique="yes"/>
-	<field type="variable32" name="country" pack_unique="yes"/>
-</ExtentType>
-<!-- t : time -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-<!-- status : string -->
-<!-- country : string -->
-
-# Extent, type='ssh'
-t id.orig_h id.orig_p id.resp_h id.resp_p status country
-1342748962.493341 1.2.3.4 1234 2.3.4.5 80 success unknown
-1342748962.493341 1.2.3.4 1234 2.3.4.5 80 failure US
-1342748962.493341 1.2.3.4 1234 2.3.4.5 80 failure UK
-1342748962.493341 1.2.3.4 1234 2.3.4.5 80 success BR
-1342748962.493341 1.2.3.4 1234 2.3.4.5 80 failure MX

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt

@@ -1,89 +0,0 @@
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="conn" version="1.0" namespace="bro.org">
-	<field type="int64" name="ts" pack_relative="ts" units="microseconds" epoch="unix"/>
-	<field type="variable32" name="uid" pack_unique="yes"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-	<field type="variable32" name="proto" pack_unique="yes"/>
-	<field type="variable32" name="service" pack_unique="yes"/>
-	<field type="int64" name="duration" pack_relative="duration" units="microseconds" epoch="unix"/>
-	<field type="int64" name="orig_bytes" />
-	<field type="int64" name="resp_bytes" />
-	<field type="variable32" name="conn_state" pack_unique="yes"/>
-	<field type="bool" name="local_orig" />
-	<field type="int64" name="missed_bytes" />
-	<field type="variable32" name="history" pack_unique="yes"/>
-	<field type="int64" name="orig_pkts" />
-	<field type="int64" name="orig_ip_bytes" />
-	<field type="int64" name="resp_pkts" />
-	<field type="int64" name="resp_ip_bytes" />
-	<field type="variable32" name="tunnel_parents" pack_unique="yes"/>
-</ExtentType>
-<!-- ts : time -->
-<!-- uid : string -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-<!-- proto : enum -->
-<!-- service : string -->
-<!-- duration : interval -->
-<!-- orig_bytes : count -->
-<!-- resp_bytes : count -->
-<!-- conn_state : string -->
-<!-- local_orig : bool -->
-<!-- missed_bytes : count -->
-<!-- history : string -->
-<!-- orig_pkts : count -->
-<!-- orig_ip_bytes : count -->
-<!-- resp_pkts : count -->
-<!-- resp_ip_bytes : count -->
-<!-- tunnel_parents : set[string] -->
-
-# Extent, type='conn'
-ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
-1300475167096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 
-1300475167097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns 0 0 0 S0 F 0 D 1 199 0 0 
-1300475167099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 179 0 0 
-1300475168853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 udp dns 435 38 89 SF F 0 Dd 1 66 1 117 
-1300475168854378 C6pKV8GSxOnSLghOa 141.142.220.118 37676 141.142.2.2 53 udp dns 420 52 99 SF F 0 Dd 1 80 1 127 
-1300475168854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 38 183 SF F 0 Dd 1 66 1 211 
-1300475168857956 CMXxB5GvmoxJFXdTa 141.142.220.118 32902 141.142.2.2 53 udp dns 317 38 89 SF F 0 Dd 1 66 1 117 
-1300475168858306 Caby8b1slFea8xwSmb 141.142.220.118 59816 141.142.2.2 53 udp dns 343 52 99 SF F 0 Dd 1 80 1 127 
-1300475168858713 Che1bq3i2rO3KD1Syg 141.142.220.118 59714 141.142.2.2 53 udp dns 375 38 183 SF F 0 Dd 1 66 1 211 
-1300475168891644 CEle3f3zno26fFZkrh 141.142.220.118 58206 141.142.2.2 53 udp dns 339 38 89 SF F 0 Dd 1 66 1 117 
-1300475168892037 CwSkQu4eWZCH7OONC1 141.142.220.118 38911 141.142.2.2 53 udp dns 334 52 99 SF F 0 Dd 1 80 1 127 
-1300475168892414 CfTOmO0HKorjr8Zp7 141.142.220.118 59746 141.142.2.2 53 udp dns 420 38 183 SF F 0 Dd 1 66 1 211 
-1300475168893988 Cab0vO1xNYSS2hJkle 141.142.220.118 45000 141.142.2.2 53 udp dns 384 38 89 SF F 0 Dd 1 66 1 117 
-1300475168894422 Cx2FqO23omNawSNrxj 141.142.220.118 48479 141.142.2.2 53 udp dns 316 52 99 SF F 0 Dd 1 80 1 127 
-1300475168894787 Cx3C534wEyF3OvvcQe 141.142.220.118 48128 141.142.2.2 53 udp dns 422 38 183 SF F 0 Dd 1 66 1 211 
-1300475168901749 CUKS0W3HFYOnBqSE5e 141.142.220.118 56056 141.142.2.2 53 udp dns 402 36 131 SF F 0 Dd 1 64 1 159 
-1300475168902195 CRrfvP2lalMAYOCLhj 141.142.220.118 55092 141.142.2.2 53 udp dns 374 36 198 SF F 0 Dd 1 64 1 226 
-1300475169899438 CojBOU3CXcLHl1r6x1 141.142.220.44 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 85 0 0 
-1300475170862384 CJzVQRGJrX6V15ik7 141.142.220.226 137 141.142.220.255 137 udp dns 2613016 350 0 S0 F 0 D 7 546 0 0 
-1300475171675372 ClAbxY1nmdjCuo0Le2 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 100096 66 0 S0 F 0 D 2 162 0 0 
-1300475171677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp dns 100020 66 0 S0 F 0 D 2 122 0 0 
-1300475173116749 CisNaL1Cm73CiNOmcg fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 99801 66 0 S0 F 0 D 2 162 0 0 
-1300475173117362 CBQnJn22qN8TOeeZil 141.142.220.226 55671 224.0.0.252 5355 udp dns 99848 66 0 S0 F 0 D 2 122 0 0 
-1300475173153679 CbEsuD3dgDDngdlbKf 141.142.220.238 56641 141.142.220.255 137 udp dns 0 0 0 S0 F 0 D 1 78 0 0 
-1300475168859163 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 tcp http 215893 1130 734 S1 F 0 ShADad 6 1450 4 950 
-1300475168652003 CsRx2w45OKnoww6xl4 141.142.220.118 35634 208.80.152.2 80 tcp  61328 463 350 OTH F 0 DdA 2 567 1 402 
-1300475168895267 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 tcp http 227283 1178 734 S1 F 0 ShADad 6 1498 4 950 
-1300475168902635 Cn78a440HlxuyZKs6f 141.142.220.118 35642 208.80.152.2 80 tcp http 120040 534 412 S1 F 0 ShADad 4 750 3 576 
-1300475168892936 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 tcp http 229603 1148 734 S1 F 0 ShADad 6 1468 4 950 
-1300475168855305 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 tcp http 218501 1171 733 S1 F 0 ShADad 6 1491 4 949 
-1300475168892913 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 tcp http 220960 1137 733 S1 F 0 ShADad 6 1457 4 949 
-1300475169780331 CUof3F2yAIid8QS3dk 141.142.220.235 6705 173.192.163.128 80 tcp  0 0 0 OTH F 0 h 0 0 1 48 
-1300475168724007 CRJuHdVW0XPVINV8a 141.142.220.118 48649 208.80.152.118 80 tcp http 119904 525 232 S1 F 0 ShADad 4 741 3 396 
-1300475168855330 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 tcp http 219720 1125 734 S1 F 0 ShADad 6 1445 4 950 

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt

@@ -1,89 +0,0 @@
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="conn" version="1.0" namespace="bro.org">
-	<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="uid" pack_unique="yes"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-	<field type="variable32" name="proto" pack_unique="yes"/>
-	<field type="variable32" name="service" pack_unique="yes"/>
-	<field type="double" name="duration" pack_relative="duration" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="int64" name="orig_bytes" />
-	<field type="int64" name="resp_bytes" />
-	<field type="variable32" name="conn_state" pack_unique="yes"/>
-	<field type="bool" name="local_orig" />
-	<field type="int64" name="missed_bytes" />
-	<field type="variable32" name="history" pack_unique="yes"/>
-	<field type="int64" name="orig_pkts" />
-	<field type="int64" name="orig_ip_bytes" />
-	<field type="int64" name="resp_pkts" />
-	<field type="int64" name="resp_ip_bytes" />
-	<field type="variable32" name="tunnel_parents" pack_unique="yes"/>
-</ExtentType>
-<!-- ts : time -->
-<!-- uid : string -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-<!-- proto : enum -->
-<!-- service : string -->
-<!-- duration : interval -->
-<!-- orig_bytes : count -->
-<!-- resp_bytes : count -->
-<!-- conn_state : string -->
-<!-- local_orig : bool -->
-<!-- missed_bytes : count -->
-<!-- history : string -->
-<!-- orig_pkts : count -->
-<!-- orig_ip_bytes : count -->
-<!-- resp_pkts : count -->
-<!-- resp_ip_bytes : count -->
-<!-- tunnel_parents : set[string] -->
-
-# Extent, type='conn'
-ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
-1300475167.096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 
-1300475167.097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns 0.000000 0 0 S0 F 0 D 1 199 0 0 
-1300475167.099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 179 0 0 
-1300475168.853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF F 0 Dd 1 66 1 117 
-1300475168.854378 C6pKV8GSxOnSLghOa 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF F 0 Dd 1 80 1 127 
-1300475168.854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 
-1300475168.857956 CMXxB5GvmoxJFXdTa 141.142.220.118 32902 141.142.2.2 53 udp dns 0.000317 38 89 SF F 0 Dd 1 66 1 117 
-1300475168.858306 Caby8b1slFea8xwSmb 141.142.220.118 59816 141.142.2.2 53 udp dns 0.000343 52 99 SF F 0 Dd 1 80 1 127 
-1300475168.858713 Che1bq3i2rO3KD1Syg 141.142.220.118 59714 141.142.2.2 53 udp dns 0.000375 38 183 SF F 0 Dd 1 66 1 211 
-1300475168.891644 CEle3f3zno26fFZkrh 141.142.220.118 58206 141.142.2.2 53 udp dns 0.000339 38 89 SF F 0 Dd 1 66 1 117 
-1300475168.892037 CwSkQu4eWZCH7OONC1 141.142.220.118 38911 141.142.2.2 53 udp dns 0.000335 52 99 SF F 0 Dd 1 80 1 127 
-1300475168.892414 CfTOmO0HKorjr8Zp7 141.142.220.118 59746 141.142.2.2 53 udp dns 0.000421 38 183 SF F 0 Dd 1 66 1 211 
-1300475168.893988 Cab0vO1xNYSS2hJkle 141.142.220.118 45000 141.142.2.2 53 udp dns 0.000384 38 89 SF F 0 Dd 1 66 1 117 
-1300475168.894422 Cx2FqO23omNawSNrxj 141.142.220.118 48479 141.142.2.2 53 udp dns 0.000317 52 99 SF F 0 Dd 1 80 1 127 
-1300475168.894787 Cx3C534wEyF3OvvcQe 141.142.220.118 48128 141.142.2.2 53 udp dns 0.000423 38 183 SF F 0 Dd 1 66 1 211 
-1300475168.901749 CUKS0W3HFYOnBqSE5e 141.142.220.118 56056 141.142.2.2 53 udp dns 0.000402 36 131 SF F 0 Dd 1 64 1 159 
-1300475168.902195 CRrfvP2lalMAYOCLhj 141.142.220.118 55092 141.142.2.2 53 udp dns 0.000374 36 198 SF F 0 Dd 1 64 1 226 
-1300475169.899438 CojBOU3CXcLHl1r6x1 141.142.220.44 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 85 0 0 
-1300475170.862384 CJzVQRGJrX6V15ik7 141.142.220.226 137 141.142.220.255 137 udp dns 2.613017 350 0 S0 F 0 D 7 546 0 0 
-1300475171.675372 ClAbxY1nmdjCuo0Le2 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp dns 0.100096 66 0 S0 F 0 D 2 162 0 0 
-1300475171.677081 CwG0BF1VXE0gWgs78 141.142.220.226 55131 224.0.0.252 5355 udp dns 0.100021 66 0 S0 F 0 D 2 122 0 0 
-1300475173.116749 CisNaL1Cm73CiNOmcg fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp dns 0.099801 66 0 S0 F 0 D 2 162 0 0 
-1300475173.117362 CBQnJn22qN8TOeeZil 141.142.220.226 55671 224.0.0.252 5355 udp dns 0.099849 66 0 S0 F 0 D 2 122 0 0 
-1300475173.153679 CbEsuD3dgDDngdlbKf 141.142.220.238 56641 141.142.220.255 137 udp dns 0.000000 0 0 S0 F 0 D 1 78 0 0 
-1300475168.859163 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 tcp http 0.215893 1130 734 S1 F 0 ShADad 6 1450 4 950 
-1300475168.652003 CsRx2w45OKnoww6xl4 141.142.220.118 35634 208.80.152.2 80 tcp  0.061329 463 350 OTH F 0 DdA 2 567 1 402 
-1300475168.895267 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 tcp http 0.227284 1178 734 S1 F 0 ShADad 6 1498 4 950 
-1300475168.902635 Cn78a440HlxuyZKs6f 141.142.220.118 35642 208.80.152.2 80 tcp http 0.120041 534 412 S1 F 0 ShADad 4 750 3 576 
-1300475168.892936 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 tcp http 0.229603 1148 734 S1 F 0 ShADad 6 1468 4 950 
-1300475168.855305 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 tcp http 0.218501 1171 733 S1 F 0 ShADad 6 1491 4 949 
-1300475168.892913 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 tcp http 0.220961 1137 733 S1 F 0 ShADad 6 1457 4 949 
-1300475169.780331 CUof3F2yAIid8QS3dk 141.142.220.235 6705 173.192.163.128 80 tcp  0.000000 0 0 OTH F 0 h 0 0 1 48 
-1300475168.724007 CRJuHdVW0XPVINV8a 141.142.220.118 48649 208.80.152.118 80 tcp http 0.119905 525 232 S1 F 0 ShADad 4 741 3 396 
-1300475168.855330 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 tcp http 0.219720 1125 734 S1 F 0 ShADad 6 1445 4 950 

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt

@@ -1,83 +0,0 @@
-# Extent Types ...
-<ExtentType name="DataSeries: ExtentIndex">
-  <field type="int64" name="offset" />
-  <field type="variable32" name="extenttype" />
-</ExtentType>
-
-<ExtentType name="DataSeries: XmlType">
-  <field type="variable32" name="xmltype" />
-</ExtentType>
-
-<ExtentType name="http" version="1.0" namespace="bro.org">
-	<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
-	<field type="variable32" name="uid" pack_unique="yes"/>
-	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
-	<field type="int64" name="id.orig_p" />
-	<field type="variable32" name="id.resp_h" pack_unique="yes"/>
-	<field type="int64" name="id.resp_p" />
-	<field type="int64" name="trans_depth" />
-	<field type="variable32" name="method" pack_unique="yes"/>
-	<field type="variable32" name="host" pack_unique="yes"/>
-	<field type="variable32" name="uri" pack_unique="yes"/>
-	<field type="variable32" name="referrer" pack_unique="yes"/>
-	<field type="variable32" name="user_agent" pack_unique="yes"/>
-	<field type="int64" name="request_body_len" />
-	<field type="int64" name="response_body_len" />
-	<field type="int64" name="status_code" />
-	<field type="variable32" name="status_msg" pack_unique="yes"/>
-	<field type="int64" name="info_code" />
-	<field type="variable32" name="info_msg" pack_unique="yes"/>
-	<field type="variable32" name="filename" pack_unique="yes"/>
-	<field type="variable32" name="tags" pack_unique="yes"/>
-	<field type="variable32" name="username" pack_unique="yes"/>
-	<field type="variable32" name="password" pack_unique="yes"/>
-	<field type="variable32" name="proxied" pack_unique="yes"/>
-	<field type="variable32" name="orig_fuids" pack_unique="yes"/>
-	<field type="variable32" name="orig_mime_types" pack_unique="yes"/>
-	<field type="variable32" name="resp_fuids" pack_unique="yes"/>
-	<field type="variable32" name="resp_mime_types" pack_unique="yes"/>
-</ExtentType>
-<!-- ts : time -->
-<!-- uid : string -->
-<!-- id.orig_h : addr -->
-<!-- id.orig_p : port -->
-<!-- id.resp_h : addr -->
-<!-- id.resp_p : port -->
-<!-- trans_depth : count -->
-<!-- method : string -->
-<!-- host : string -->
-<!-- uri : string -->
-<!-- referrer : string -->
-<!-- user_agent : string -->
-<!-- request_body_len : count -->
-<!-- response_body_len : count -->
-<!-- status_code : count -->
-<!-- status_msg : string -->
-<!-- info_code : count -->
-<!-- info_msg : string -->
-<!-- filename : string -->
-<!-- tags : set[enum] -->
-<!-- username : string -->
-<!-- password : string -->
-<!-- proxied : set[string] -->
-<!-- orig_fuids : vector[string] -->
-<!-- orig_mime_types : vector[string] -->
-<!-- resp_fuids : vector[string] -->
-<!-- resp_mime_types : vector[string] -->
-
-# Extent, type='http'
-ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied orig_fuids orig_mime_types resp_fuids resp_mime_types
-1300475168.784020 CRJuHdVW0XPVINV8a 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.916018 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.916183 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.918358 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/b/bd/Bookshelf-40x201_6.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.952307 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/8/8a/Wikinews-logo.png/35px-Wikinews-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.952296 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/4/4a/Wiktionary-logo-en-35px.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.954820 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikiquote-logo.svg/35px-Wikiquote-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.962687 Cn78a440HlxuyZKs6f 141.142.220.118 35642 208.80.152.2 80 1 GET meta.wikimedia.org /images/wikimedia-button.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.975934 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/f/fa/Wikibooks-logo.svg/35px-Wikibooks-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.976436 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/d/df/Wikispecies-logo.svg/35px-Wikispecies-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475168.979264 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/35px-Wikisource-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475169.014619 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475169.014593 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          
-1300475169.014927 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified 0          

testing/btest/Baseline/scripts.base.protocols.dns.tsig/out

@@ -0,0 +1,2 @@
+[query=secret-key, qtype=3, alg_name=hmac-md5.sig-alg.reg.int, sig=F\xbd\xbf1\xef^B6\xb8\xeb\xae1u,\x87\xdb^?, time_signed=21513.794, fudge=300.0, orig_id=9703, rr_error=0, is_query=1]
+16

testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data

@@ -0,0 +1,4 @@
+^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
+<1448 byte gap>
+s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+ thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J

testing/btest/Baseline/scripts.base.protocols.http.entity-gap2/entity_data

@@ -0,0 +1,4 @@
+^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
+   rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-release script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices format for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
+<1448 byte gap>
+ thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J

testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/modbus.log

@@ -3,9 +3,13 @@
 #empty_field	(empty)
 #unset_field	-
 #path	modbus
-#open	2013-08-26-19-04-11
+#open	2014-09-11-15-00-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	func	exception
 #types	time	string	addr	port	addr	port	string	string
 1153491909.414125	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-156	-
+1153491911.997264	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-160	-
 1153491913.013726	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-162	-
-#close	2013-08-26-19-04-11
+1153491923.091742	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-175	-
+1153491923.091742	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-179	-
+1153491923.623460	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	unknown-165	-
+#close	2014-09-11-15-00-05

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -64,10 +64,9 @@
 1254722770.692743 mime_begin_entity
 1254722770.692743 mime_one_header
 1254722770.692743 mime_one_header
-1254722770.692786 get_file_handle
+1254722770.692743 get_file_handle
 1254722770.692786 file_new
 1254722770.692786 file_over_new_connection
-1254722770.692804 get_file_handle
 1254722770.692804 mime_end_entity
 1254722770.692804 get_file_handle
 1254722770.692804 file_state_remove
@@ -79,20 +78,10 @@
 1254722770.692804 mime_one_header
 1254722770.692804 mime_one_header
 1254722770.692804 mime_one_header
-1254722770.692823 get_file_handle
+1254722770.692804 get_file_handle
 1254722770.692823 file_new
 1254722770.692823 file_over_new_connection
-1254722770.692823 get_file_handle
 1254722770.695115 new_connection
-1254722771.469814 get_file_handle
-1254722771.494181 get_file_handle
-1254722771.494181 get_file_handle
-1254722771.494199 get_file_handle
-1254722771.834628 get_file_handle
-1254722771.834655 get_file_handle
-1254722771.834655 get_file_handle
-1254722771.858316 get_file_handle
-1254722771.858334 get_file_handle
 1254722771.858334 mime_end_entity
 1254722771.858334 get_file_handle
 1254722771.858334 file_state_remove

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log

@@ -305,15 +305,15 @@
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -331,22 +331,17 @@
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
-1254722770.692786 get_file_handle
+1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692786 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692786 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722770.692804 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
@@ -358,7 +353,7 @@
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-famil, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">^M^J<meta name=Generator content="Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-compose;^M^J^Ifont-family:"Calibri","sans-serif";^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -393,72 +388,22 @@
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"]
 
-1254722770.692823 get_file_handle
+1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692823 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692823 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722770.692823 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.695115 new_connection
                   [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1254722771.469814 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.494181 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.494181 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.494199 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.834628 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.834655 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.834655 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.858316 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1254722771.858334 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
 1254722771.858334 mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
@@ -468,7 +413,7 @@
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (m, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP

testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-digicert.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-09-04-19-17-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	ocsp_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1404148886.994021	CXWv6p3arKYeMETxOg	192.168.4.149	51293	72.21.91.29	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	secp256r1	-	-	-	T	FhwjYM0FkbvVCvMf2,Fajs2d2lipsadwoK1h	(empty)	CN=www.digicert.com,O=DigiCert\, Inc.,L=Lehi,ST=Utah,C=US,postalCode=84043,street=2600 West Executive Parkway,street=Suite 500,serialNumber=5299537-0142,1.3.6.1.4.1.311.60.2.1.2=#130455746168,1.3.6.1.4.1.311.60.2.1.3=#13025553,businessCategory=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US	-	-	good
+#close	2014-09-04-19-17-18

testing/btest/Baseline/scripts.policy.protocols.ssl.validate-ocsp/ssl-twimg.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-09-04-19-17-14
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	ocsp_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1409786981.016881	CXWv6p3arKYeMETxOg	192.168.4.149	53106	93.184.216.146	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	secp256r1	-	-	-	T	FtaZVlJfywdNmVFr1,FoILekwkdtTuZtlVa	(empty)	CN=si0.twimg.com,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US	CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US	-	-	good
+#close	2014-09-04-19-17-14

testing/btest/btest.cfg

@@ -1,5 +1,5 @@
 [btest]
-TestDirs    = doc bifs language core scripts istate coverage signatures
+TestDirs    = doc bifs language core scripts istate coverage signatures plugins
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp

testing/btest/core/leaks/dataseries-rotate.bro

@@ -1,36 +0,0 @@
-#
-# @TEST-REQUIRES: has-writer DataSeries && which ds2txt
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-GROUP: leaks
-# @TEST-GROUP: dataseries
-#
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/rotation.trace %INPUT Log::default_writer=Log::WRITER_DATASERIES
-# @TEST-EXEC: btest-bg-wait 15
-
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-	} &log;
-}
-
-redef Log::default_rotation_interval = 1hr;
-redef Log::default_rotation_postprocessor_cmd = "echo";
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-}
-
-event new_connection(c: connection)
-	{
-	Log::write(Test::LOG, [$t=network_time(), $id=c$id]);
-	}

testing/btest/core/leaks/dataseries.bro

@@ -1,11 +0,0 @@
-# Needs perftools support.
-#
-# @TEST-REQUIRES: has-writer DataSeries && which ds2txt
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-GROUP: leaks
-# @TEST-GROUP: dataseries
-#
-# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_DATASERIES
-# @TEST-EXEC: btest-bg-wait 25

testing/btest/core/pcap/dumper.bro

@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -r $TRACES/workshop_2011_browse.trace -w dump
+# @TEST-EXEC: hexdump -C $TRACES/workshop_2011_browse.trace >1
+# @TEST-EXEC: hexdump -C dump >2
+# @TEST-EXEC: sdiff -s 1 2 >output || true
+# @TEST-EXEC: btest-diff output

testing/btest/core/pcap/dynamic-filter.bro

@@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff conn.log
+
+redef enum PcapFilterID += { A, B };
+
+global cnt = 0;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	++cnt;
+
+	print cnt, c$id;
+	
+	if ( cnt == 1 )
+		if ( ! install_pcap_filter(A) )
+			print "error 3";
+
+	if ( cnt == 2 )
+		if ( ! install_pcap_filter(B) )
+			print "error 4";
+	}
+
+event bro_init()
+	{
+	if ( ! precompile_pcap_filter(A, "port 80") )
+		print "error 1";
+	
+	if ( ! precompile_pcap_filter(B, "port 53") )
+		print "error 2";
+	}
+

testing/btest/core/pcap/filter-error.bro

@@ -0,0 +1,16 @@
+# @TEST-EXEC-FAIL: bro -r $TRACES/workshop_2011_browse.trace -f "kaputt" >>output 2>&1
+# @TEST-EXEC-FAIL: test -e conn.log
+# @TEST-EXEC: echo ---- >>output
+# @TEST-EXEC: bro -r $TRACES/workshop_2011_browse.trace  %INPUT >>output 2>&1
+# @TEST-EXEC: test -e conn.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+redef enum PcapFilterID += { A };
+
+event bro_init()
+	{
+	if ( ! precompile_pcap_filter(A, "kaputt, too") )
+		print "error", pcap_error();
+	}
+
+

testing/btest/core/pcap/input-error.bro

@@ -0,0 +1,14 @@
+# @TEST-EXEC-FAIL: bro -i NO_SUCH_INTERFACE 2>&1  >>output 2>&1
+# @TEST-EXEC: cat output | sed 's/(.*)//g' >output2
+# @TEST-EXEC-FAIL: bro -r NO_SUCH_TRACE 2>&1 >>output2 2>&1
+# @TEST-EXEC: btest-diff output2
+
+redef enum PcapFilterID += { A };
+
+event bro_init()
+	{
+	if ( ! precompile_pcap_filter(A, "kaputt, too") )
+		print "error", pcap_error();
+	}
+
+

testing/btest/core/pcap/pseudo-realtime.bro

@@ -0,0 +1,42 @@
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT --pseudo-realtime >output
+# @TEST-EXEC: btest-diff output
+
+global init = F;
+global last_network = network_time();
+global last_current = current_time();
+global cnt = 0;
+global an = 0secs;
+global ac = 0secs;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	local tn = network_time();
+	local tc = current_time();
+	local dn = tn - last_network;
+	local dc = tc - last_current;
+
+	last_network = tn;
+	last_current = tc;
+	++cnt;
+
+	if ( ! init ) 
+		{
+		init = T;
+		return;
+		}
+
+	an += dn;
+	ac += dc;
+	
+	# print fmt("num=%d agg_delta_network=%.1f agg_delta_real=%.1f", cnt, an, ac);
+	}
+
+event bro_done()
+	{
+	local d = (an - ac);
+	if ( d < 0 secs)
+		d = -d;
+	
+	print fmt("real time %s trace time", d < 1.0secs ? "matches" : "does NOT match");
+	}
+

testing/btest/core/pcap/read-trace-with-filter.bro

@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace -f "port 50000"
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff packet_filter.log

testing/btest/coverage/find-bro-logs.test

@@ -0,0 +1,55 @@
+# This test is intended to help keep Bro's reference documentation up-to-date.
+# If this test fails, then it indicates that the set of all the log filenames
+# that Bro could potentially create (with the scripts included with Bro) has
+# changed.  In that case, the reference documentation listing all Bro log files
+# should be checked and updated if necessary.
+
+# @TEST-EXEC: bash %INPUT
+# @TEST-EXEC: btest-diff out
+
+BROSCRIPTS=${DIST}/scripts
+
+if [ ! -d "${BROSCRIPTS}" ]; then
+    echo "Directory not found: ${BROSCRIPTS}" 1>&2
+    exit 1
+fi
+
+# For a given Bro script, look for a call to "create_stream".  If found,
+# extract the log ID (adding the module name if necessary), and print the
+# log ID and script filename.
+cat << '_EOF_' > find_logid.awk
+/module[ ]+[A-Za-z0-9_]/ {
+    mod = $2
+    if ( substr(mod, length(mod), 1) == ";" ) {
+        mod = substr(mod, 1, length(mod)-1)
+    }
+}
+
+/Log::create_stream/ {
+    if ( substr($1, 1, 1) != "#" ) {
+        x = index($1, "(")
+        logid = substr($1, x+1, length($1)-x-1)
+        if ( logid == "LOG" ) {
+            printf "%s::", mod
+        }
+        printf "%s", logid
+        printf " %s\n", FILENAME
+    }
+}
+_EOF_
+
+find -L ${BROSCRIPTS} -type f -exec awk -f find_logid.awk {} \; > out.logid
+
+if [ ! -s out.logid ]; then
+    echo "Did not find Bro scripts in directory: ${BROSCRIPTS}" 1>&2
+    exit 1
+fi
+
+# For each log ID, have Bro convert it to the corresponding log filename
+# using the default mechanism for generating a log filename (we must load
+# all Bro scripts so that all log IDs are defined).
+awk '{print $1}' out.logid | while read logid; do
+    bro ${BROSCRIPTS}/test-all-policy.bro -e "print Log::default_path_func(${logid}, \"\", 0);" >> out.tmp
+done
+
+grep -v WARNING out.tmp | sort -u > out

testing/btest/doc/broxygen/command_line.bro

@@ -0,0 +1,7 @@
+# Shouldn't emit any warnings about not being able to document something
+# that's supplied via command line script.
+
+# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+const myvar = 5 &redef;

testing/btest/language/outer_param_binding.bro

@@ -0,0 +1,27 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type Foo: record {
+	x: function(a: string) : string;
+};
+
+function bar(b: string, c: string)
+	{
+	local f: Foo;
+	local d = 8;
+	f = [$x=function(a: string) : string
+			{
+			local x = 0;
+			print x;
+			print c, d;
+			return cat(a, " ", b);
+			}
+		];
+
+	print f$x("2");
+	}
+
+event bro_init()
+	{
+	bar("1", "20");
+	}

testing/btest/plugins/api-version-mismatch.sh

@@ -1,7 +1,8 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
 # @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: make BRO=${DIST}
-# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output 2>&1
-# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
+# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
 
 ( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc

testing/btest/plugins/bifs-and-scripts-install.sh

@@ -1,11 +1,14 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
 # @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: BRO_PLUGIN_INSTALL=`pwd`/test-install make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} --install-root=`pwd`/test-install
+# @TEST-EXEC: make
 # @TEST-EXEC: make install
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd`/test-install bro -NN Demo::Foo >>output
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro demo/foo -r $TRACES/empty.trace >>output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
 
+mkdir -p scripts/demo/foo/base/
+
 cat >scripts/__load__.bro <<EOF
 @load ./demo/foo/base/at-startup.bro
 EOF
@@ -21,8 +24,6 @@ event bro_init() &priority=-10
         }
 EOF
 
-mkdir -p scripts/demo/foo/base/
-
 cat >scripts/demo/foo/base/at-startup.bro <<EOF
 event bro_init() &priority=10
         {
@@ -31,17 +32,16 @@ event bro_init() &priority=10
         }
 EOF
 
-cat >src/functions.bif <<EOF
+cat >src/foo.bif <<EOF
 function hello_plugin_world%(%): string
         %{
         return new StringVal("Hello from the plugin!");
         %}
+
+event plugin_event%(foo: count%);
 EOF
 
 cat >activate.bro <<EOF
 @load-plugin Demo::Foo
 EOF
 
-cat >src/events.bif <<EOF
-event plugin_event%(foo: count%);
-EOF

testing/btest/plugins/bifs-and-scripts.sh

@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
 # @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
 
 # @TEST-EXEC: echo === >>output
@@ -23,6 +23,8 @@
 
 # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
 
+mkdir -p scripts/demo/foo/base/
+
 cat >scripts/__load__.bro <<EOF
 @load ./demo/foo/base/at-startup.bro
 EOF
@@ -38,8 +40,6 @@ event bro_init() &priority=-10
         }
 EOF
 
-mkdir -p scripts/demo/foo/base/
-
 cat >scripts/demo/foo/base/at-startup.bro <<EOF
 event bro_init() &priority=10
         {
@@ -48,17 +48,16 @@ event bro_init() &priority=10
         }
 EOF
 
-cat >src/functions.bif <<EOF
+cat >src/foo.bif <<EOF
 function hello_plugin_world%(%): string
         %{
         return new StringVal("Hello from the plugin!");
         %}
+
+event plugin_event%(foo: count%);
 EOF
 
 cat >activate.bro <<EOF
 @load-plugin Demo::Foo
 EOF
 
-cat >src/events.bif <<EOF
-event plugin_event%(foo: count%);
-EOF

testing/btest/plugins/file.bro

@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
 # @TEST-EXEC: cp -r %DIR/file-plugin/* .
-# @TEST-EXEC: make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/ftp/retr.trace %INPUT >>output

testing/btest/plugins/hooks.bro

@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
-# @TEST-EXEC: make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/http/get.trace %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
 # @TEST-EXEC: btest-diff output
 

testing/btest/plugins/init-plugin.bro

@@ -1,5 +1,5 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
-# @TEST-EXEC: make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/port4242.trace >>output

testing/btest/plugins/pktdumper-plugin/CMakeLists.txt

@@ -0,0 +1,17 @@
+
+project(Bro-Plugin-Demo-Foo)
+
+cmake_minimum_required(VERSION 2.6.3)
+
+if ( NOT BRO_DIST )
+    message(FATAL_ERROR "BRO_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${BRO_DIST}/cmake)
+
+include(BroPlugin)
+
+bro_plugin_begin(Demo Foo)
+bro_plugin_cc(src/Plugin.cc)
+bro_plugin_cc(src/Foo.cc)
+bro_plugin_end()

testing/btest/plugins/pktdumper-plugin/src/Foo.cc

@@ -0,0 +1,40 @@
+
+#include <fcntl.h>
+#include <stdio.h>
+
+#include "Foo.h"
+
+using namespace plugin::Demo_Foo;
+
+Foo::Foo(const std::string& path, bool is_live)
+	{
+	props.path = path;
+	}
+
+Foo::~Foo()
+	{
+	}
+
+void Foo::Open()
+	{
+	props.open_time = network_time;
+	props.hdr_size = 0;
+	Opened(props);
+	}
+
+void Foo::Close()
+	{
+	Closed();
+	}
+
+bool Foo::Dump(const Packet* pkt)
+	{
+	double t = double(pkt->hdr->ts.tv_sec) + double(pkt->hdr->ts.tv_usec) / 1e6;
+	fprintf(stdout, "Dumping to %s: %.6f len %u\n", props.path.c_str(), t, (unsigned int)pkt->hdr->len);
+	return true;
+	}
+
+iosource::PktDumper* Foo::Instantiate(const std::string& path, bool append)
+	{
+	return new Foo(path, append);
+	}

testing/btest/plugins/pktdumper-plugin/src/Foo.h

@@ -0,0 +1,30 @@
+
+#ifndef BRO_PLUGIN_DEMO_FOO_H
+#define BRO_PLUGIN_DEMO_FOO_H
+
+#include <Val.h>
+#include <iosource/PktDumper.h>
+
+namespace plugin {
+namespace Demo_Foo {
+
+class Foo : public iosource::PktDumper {
+public:
+	Foo(const std::string& path, bool is_live);
+	virtual ~Foo();
+
+	static PktDumper* Instantiate(const std::string& path, bool append);
+
+protected:
+	virtual void Open();
+	virtual void Close();
+	virtual bool Dump(const Packet* pkt);
+
+private:
+	Properties props;
+};
+
+}
+}
+
+#endif

testing/btest/plugins/pktdumper-plugin/src/Plugin.cc

@@ -0,0 +1,20 @@
+
+#include "Plugin.h"
+
+#include "Foo.h"
+
+namespace plugin { namespace Demo_Foo { Plugin plugin; } }
+
+using namespace plugin::Demo_Foo;
+
+plugin::Configuration Plugin::Configure()
+	{
+	AddComponent(new ::iosource::PktDumperComponent("FooPktDumper", "foo", ::plugin::Demo_Foo::Foo::Instantiate));
+
+	plugin::Configuration config;
+	config.name = "Demo::Foo";
+	config.description = "A Foo packet dumper";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}

testing/btest/plugins/pktdumper.bro

@@ -0,0 +1,8 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: cp -r %DIR/pktdumper-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo  >>output
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/port4242.trace -w foo::XXX %INPUT FilteredTraceDetection::enable=F >>output
+# @TEST-EXEC: btest-diff output
+

testing/btest/plugins/pktsrc-plugin/CMakeLists.txt

@@ -0,0 +1,17 @@
+
+project(Bro-Plugin-Demo-Foo)
+
+cmake_minimum_required(VERSION 2.6.3)
+
+if ( NOT BRO_DIST )
+    message(FATAL_ERROR "BRO_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${BRO_DIST}/cmake)
+
+include(BroPlugin)
+
+bro_plugin_begin(Demo Foo)
+bro_plugin_cc(src/Plugin.cc)
+bro_plugin_cc(src/Foo.cc)
+bro_plugin_end()

testing/btest/plugins/pktsrc-plugin/src/Foo.cc

@@ -0,0 +1,77 @@
+
+#include <fcntl.h>
+#include <stdio.h>
+
+#include "Foo.h"
+
+using namespace plugin::Demo_Foo;
+
+Foo::Foo(const std::string& path, bool is_live)
+	{
+	packet =
+	string("\x45\x00\x00\x40\x15\x55\x40\x00\x3e\x06\x25\x5b\x01\x02\x00\x02"
+	"\x01\x02\x00\x03\x09\xdf\x19\xf9\x5d\x8a\x36\x7c\x00\x00\x00\x00"
+	"\xb0\x02\x40\x00\x3c\x72\x00\x00\x02\x04\x05\x5c\x01\x03\x03\x00"
+	"\x01\x01\x08\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01\x04\x02", 64);
+
+	props.path = path;
+	props.selectable_fd = open("/bin/sh", O_RDONLY); // any fd is fine.
+	props.link_type = DLT_RAW;
+	props.hdr_size = 0;
+	props.netmask = 0;
+	props.is_live = 0;
+	}
+
+iosource::PktSrc* Foo::Instantiate(const std::string& path, bool is_live)
+	{
+	return new Foo(path, is_live);
+	}
+
+void Foo::Open()
+	{
+	Opened(props);
+	}
+
+void Foo::Close()
+	{
+	Closed();
+	}
+
+bool Foo::ExtractNextPacket(Packet* pkt)
+	{
+	if ( packet.empty() )
+		{
+		Close();
+		return false;
+		}
+
+	hdr.ts.tv_sec = 1409193037;
+	hdr.ts.tv_usec = 0;
+	hdr.caplen = hdr.len = packet.size();
+	pkt->ts = hdr.ts.tv_sec;
+	pkt->hdr = &hdr;
+	pkt->data = (const u_char *)packet.c_str();
+	return true;
+	}
+
+void Foo::DoneWithPacket()
+	{
+	packet.clear();
+	}
+
+bool Foo::PrecompileFilter(int index, const std::string& filter)
+	{
+	// skip for the testing.
+	return true;
+	}
+
+bool Foo::SetFilter(int index)
+	{
+	// skip for the testing.
+	return true;
+	}
+
+void Foo::Statistics(Stats* stats)
+	{
+	// skip for the testing.
+	}

testing/btest/plugins/pktsrc-plugin/src/Foo.h

@@ -0,0 +1,35 @@
+
+#ifndef BRO_PLUGIN_DEMO_FOO_H
+#define BRO_PLUGIN_DEMO_FOO_H
+
+#include <Val.h>
+#include <iosource/PktSrc.h>
+
+namespace plugin {
+namespace Demo_Foo {
+
+class Foo : public iosource::PktSrc {
+public:
+	Foo(const std::string& path, bool is_live);
+
+	static PktSrc* Instantiate(const std::string& path, bool is_live);
+
+protected:
+	virtual void Open();
+	virtual void Close();
+	virtual bool ExtractNextPacket(Packet* pkt);
+	virtual void DoneWithPacket();
+	virtual bool PrecompileFilter(int index, const std::string& filter);
+	virtual bool SetFilter(int index);
+	virtual void Statistics(Stats* stats);
+
+private:
+	Properties props;
+	string packet;
+	struct pcap_pkthdr hdr;
+};
+
+}
+}
+
+#endif

testing/btest/plugins/pktsrc-plugin/src/Plugin.cc

@@ -0,0 +1,20 @@
+
+#include "Plugin.h"
+
+#include "Foo.h"
+
+namespace plugin { namespace Demo_Foo { Plugin plugin; } }
+
+using namespace plugin::Demo_Foo;
+
+plugin::Configuration Plugin::Configure()
+	{
+	AddComponent(new ::iosource::PktSrcComponent("FooPktSrc", "foo", ::iosource::PktSrcComponent::BOTH, ::plugin::Demo_Foo::Foo::Instantiate));
+
+	plugin::Configuration config;
+	config.name = "Demo::Foo";
+	config.description = "A Foo packet source";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}

testing/btest/plugins/pktsrc.bro

@@ -0,0 +1,8 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: cp -r %DIR/pktsrc-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo  >>output
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r foo::XXX %INPUT FilteredTraceDetection::enable=F >>output
+# @TEST-EXEC: btest-diff conn.log
+

testing/btest/plugins/protocol-plugin/CMakeLists.txt

@@ -15,6 +15,5 @@ bro_plugin_begin(Demo Foo)
 bro_plugin_cc(src/Plugin.cc)
 bro_plugin_cc(src/Foo.cc)
 bro_plugin_bif(src/events.bif)
-bro_plugin_bif(src/functions.bif)
 bro_plugin_pac(src/foo.pac src/foo-protocol.pac src/foo-analyzer.pac)
 bro_plugin_end()

testing/btest/plugins/protocol.bro

@@ -1,6 +1,6 @@
 # @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
 # @TEST-EXEC: cp -r %DIR/protocol-plugin/* .
-# @TEST-EXEC: make BRO=${DIST}
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
 # @TEST-EXEC: echo === >>output
 # @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -r $TRACES/port4242.trace %INPUT >>output

testing/btest/plugins/reader-plugin/CMakeLists.txt

@@ -0,0 +1,17 @@
+
+project(Bro-Plugin-Demo-Foo)
+
+cmake_minimum_required(VERSION 2.6.3)
+
+if ( NOT BRO_DIST )
+    message(FATAL_ERROR "BRO_DIST not set")
+endif ()
+
+set(CMAKE_MODULE_PATH ${BRO_DIST}/cmake)
+
+include(BroPlugin)
+
+bro_plugin_begin(Demo Foo)
+bro_plugin_cc(src/Plugin.cc)
+bro_plugin_cc(src/Foo.cc)
+bro_plugin_end()

testing/btest/plugins/reader-plugin/src/Foo.cc

@@ -0,0 +1,185 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "Foo.h"
+
+#include "threading/SerialTypes.h"
+#include "threading/Manager.h"
+
+using namespace input::reader;
+using threading::Value;
+using threading::Field;
+
+Foo::Foo(ReaderFrontend *frontend) : ReaderBackend(frontend)
+	{
+	ascii = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo());
+	}
+
+Foo::~Foo()
+	{
+	DoClose();
+	delete ascii;
+	}
+
+void Foo::DoClose()
+	{
+	}
+
+bool Foo::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
+	{
+	DoUpdate();
+	return true;
+	}
+
+string Foo::RandomString(const int len)
+	{
+	string s(len, ' ');
+
+	static const char values[] =
+	"0123456789!@#$%^&*()-_=+{}[]\\|"
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	"abcdefghijklmnopqrstuvwxyz";
+
+	for (int i = 0; i < len; ++i)
+		s[i] = values[random() / (RAND_MAX / sizeof(values))];
+
+	return s;
+	}
+
+// read the entire file and send appropriate thingies back to InputMgr
+bool Foo::DoUpdate()
+	{
+	int linestosend = 5;
+	for ( int i = 0; i < linestosend; i++ )
+		{
+		Value** field = new Value*[NumFields()];
+		for  (int j = 0; j < NumFields(); j++ )
+			field[j] = EntryToVal(Fields()[j]->type, Fields()[j]->subtype);
+
+		SendEntry(field);
+	}
+
+	EndCurrentSend();
+
+	return true;
+}
+
+threading::Value* Foo::EntryToVal(TypeTag type, TypeTag subtype)
+	{
+	Value* val = new Value(type, true);
+
+	// basically construct something random from the fields that we want.
+
+	switch ( type ) {
+	case TYPE_ENUM:
+		assert(false); // no enums, please.
+
+	case TYPE_STRING:
+		{
+		string rnd = RandomString(10);
+		val->val.string_val.data = copy_string(rnd.c_str());
+		val->val.string_val.length = rnd.size();
+		break;
+		}
+
+	case TYPE_BOOL:
+		val->val.int_val = 1; // we never lie.
+		break;
+
+	case TYPE_INT:
+		val->val.int_val = random();
+		break;
+
+	case TYPE_TIME:
+		val->val.double_val = 0;
+		break;
+
+	case TYPE_DOUBLE:
+	case TYPE_INTERVAL:
+		val->val.double_val = random();
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		val->val.uint_val = random();
+		break;
+
+	case TYPE_PORT:
+		val->val.port_val.port = random() / (RAND_MAX / 60000);
+		val->val.port_val.proto = TRANSPORT_UNKNOWN;
+		break;
+
+	case TYPE_SUBNET:
+		{
+		val->val.subnet_val.prefix = ascii->ParseAddr("192.168.17.1");
+		val->val.subnet_val.length = 16;
+		}
+		break;
+
+	case TYPE_ADDR:
+		val->val.addr_val = ascii->ParseAddr("192.168.17.1");
+		break;
+
+	case TYPE_TABLE:
+	case TYPE_VECTOR:
+		// First - common initialization
+		// Then - initialization for table.
+		// Then - initialization for vector.
+		// Then - common stuff
+		{
+		// how many entries do we have...
+		unsigned int length = random() / (RAND_MAX / 15);
+
+		Value** lvals = new Value* [length];
+
+		if ( type == TYPE_TABLE )
+			{
+			val->val.set_val.vals = lvals;
+			val->val.set_val.size = length;
+			}
+		else if ( type == TYPE_VECTOR )
+			{
+			val->val.vector_val.vals = lvals;
+			val->val.vector_val.size = length;
+			}
+		else
+			assert(false);
+
+		if ( length == 0 )
+			break; //empty
+
+		for ( unsigned int pos = 0; pos < length; pos++ )
+			{
+			Value* newval = EntryToVal(subtype, TYPE_ENUM);
+			if ( newval == 0 )
+				{
+				Error("Error while reading set");
+				delete val;
+				return 0;
+				}
+			lvals[pos] = newval;
+			}
+
+		break;
+		}
+
+
+	default:
+		Error(Fmt("unsupported field format %d", type));
+		delete val;
+		return 0;
+	}
+
+	return val;
+
+	}
+
+
+bool Foo::DoHeartbeat(double network_time, double current_time)
+{
+	return true;
+}

testing/btest/plugins/reader-plugin/src/Foo.h

@@ -0,0 +1,34 @@
+
+#ifndef BRO_PLUGIN_DEMO_FOO_H
+#define BRO_PLUGIN_DEMO_FOO_H
+
+#include "input/ReaderBackend.h"
+#include "threading/formatters/Ascii.h"
+
+namespace input { namespace reader {
+
+/**
+ * A Foo reader to measure performance of the input framework.
+ */
+class Foo : public ReaderBackend {
+public:
+	Foo(ReaderFrontend* frontend);
+	~Foo();
+
+	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Foo(frontend); }
+
+protected:
+	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields);
+	virtual void DoClose();
+	virtual bool DoUpdate();
+	virtual bool DoHeartbeat(double network_time, double current_time);
+
+private:
+	string RandomString(const int len);
+	threading::Value* EntryToVal(TypeTag Type, TypeTag subtype);
+	threading::formatter::Ascii* ascii;
+};
+
+} }
+
+#endif

testing/btest/plugins/reader-plugin/src/Plugin.cc

@@ -0,0 +1,19 @@
+#include "Plugin.h"
+
+#include "Foo.h"
+
+namespace plugin { namespace Demo_Foo { Plugin plugin; } }
+
+using namespace plugin::Demo_Foo;
+
+plugin::Configuration Plugin::Configure()
+	{
+	AddComponent(new ::input::Component("Foo", ::input::reader::Foo::Instantiate));
+
+	plugin::Configuration config;
+	config.name = "Demo::Foo";
+	config.description = "A Foo test input reader";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}

testing/btest/plugins/reader-plugin/src/Plugin.h

@@ -0,0 +1,22 @@
+
+#ifndef BRO_PLUGIN_DEMO_FOO
+#define BRO_PLUGIN_DEMO_FOO
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Demo_Foo {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	// Overridden from plugin::Plugin.
+	virtual plugin::Configuration Configure();
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif

testing/btest/plugins/reader.bro

@@ -0,0 +1,40 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin Demo Foo
+# @TEST-EXEC: cp -r %DIR/reader-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >>output
+# @TEST-EXEC: echo === >>output
+# @TEST-EXEC: BRO_PLUGIN_PATH=`pwd` btest-bg-run bro bro %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff out
+
+redef exit_only_after_terminate = T;
+
+global outfile: file;
+global try: count;
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	print outfile, tpe;
+	print outfile, s;
+	try = try + 1;
+	if ( try == 5 )
+		{
+		Input::remove("input");
+		close(outfile);
+		terminate();
+		}
+	}
+
+event bro_init()
+	{
+	try = 0;
+	outfile = open("../out");
+	Input::add_event([$source="../input.log", $reader=Input::READER_FOO, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F]);
+	}