diff --git a/VERSION b/VERSION
index c4e71db5d7..0f9d6b15dc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-767
+3.1.0-dev
diff --git a/aux/bifcl b/aux/bifcl
index 699ffb13c9..5fc5eda511 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit 699ffb13c986aca599b70735b368a515c2149982
+Subproject commit 5fc5eda51144ebfbf7ff1f9f52b3b079218ad748
diff --git a/aux/binpac b/aux/binpac
index 1045ab7521..6af0d12708 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 1045ab75217ed37f0ef734bfe6c59f4adc92bf0f
+Subproject commit 6af0d1270897699d908d548d1dbe8f82f8f32b9b
diff --git a/aux/broker b/aux/broker
index 90a7ab3ebc..6c1f404a84 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 90a7ab3ebcc041ff89b378ffdb42f69117707d86
+Subproject commit 6c1f404a84967136b3fec5c21f778e3ea570052c
diff --git a/aux/btest b/aux/btest
index 8765e2805a..ec8483fd09 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 8765e2805a5eb7c87403f566fb06897337270644
+Subproject commit ec8483fd09fc8557197ab8850bd68a9c05e6321f
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 8a6f3f7c50..6bb6709e75 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 8a6f3f7c506ac483265afc77d3c1b0861db79601
+Subproject commit 6bb6709e755ecd2b930ff4a3ddd68f16d2b52cba
diff --git a/aux/paraglob b/aux/paraglob
index 4b0c213ad6..b9b834c8d1 160000
--- a/aux/paraglob
+++ b/aux/paraglob
@@ -1 +1 @@
-Subproject commit 4b0c213ad64737fd1694216fe136b5665f932e22
+Subproject commit b9b834c8d1ec3f2621ca504eaf60e0361fd607a2
diff --git a/aux/zeek-aux b/aux/zeek-aux
index 9a7d124c71..e1e67d863a 160000
--- a/aux/zeek-aux
+++ b/aux/zeek-aux
@@ -1 +1 @@
-Subproject commit 9a7d124c718f45155ea5fa0d2e4ddc3239624171
+Subproject commit e1e67d863a91e4fb1e6ea5b67fe3e6a2468b1024
diff --git a/aux/zeekctl b/aux/zeekctl
index 82d6956c30..0c0589c694 160000
--- a/aux/zeekctl
+++ b/aux/zeekctl
@@ -1 +1 @@
-Subproject commit 82d6956c30da6384146821d6ea3b72457c6b0df5
+Subproject commit 0c0589c694555342463c879f18a26a810f563f76
diff --git a/testing/btest/scripts/site/local-compat.test b/testing/btest/scripts/site/local-compat.test
index 1627b00523..04b979a4de 100644
--- a/testing/btest/scripts/site/local-compat.test
+++ b/testing/btest/scripts/site/local-compat.test
@@ -1,16 +1,21 @@
-# @TEST-EXEC: zeek local-`cat $DIST/VERSION | sed 's/\([0-9].[0-9]\).*/\1/g'`.bro
+# @TEST-EXEC: zeek local-`cat $DIST/VERSION | sed 's/\([0-9].[0-9]\).*/\1/g'`.zeek
 
-# This tests the compatibility of the past release's site/local.bro
-# script with the current version of Zeek.  If the test fails because
-# it doesn't find the right file, that means everything stayed
-# compatibile between releases, so just add a TEST-START-FILE with
-# the contents the latest Zeek version's site/local.zeek script.
-# If the test fails while loading the old local.bro, it usually
+# This tests the compatibility of the past release's site/local.zeek
+# script with the current version of Zeek.
+#
+# If the test fails because it doesn't find the right file (e.g. you just
+# made a release), that just means you should replace the contents of this
+# test with the contents of site/local.zeek from the last release.  Use
+# a new local-X.Y.zeek name just so this test is forced to be periodically
+# refreshed with the new contents of local.zeek after every release.
+#
+# If the test fails while loading the old local-X.Y.zeek, it usually
 # indicates a note will need to be made in NEWS explaining to users
-# how to migrate to the new version and this test's TEST-START-FILE
-# should be updated with the latest contents of site/local.zeek.
+# how to migrate to the new version.  After adding that note to NEWS,
+# # simply update this test's TEST-START-FILE with the latest contents
+# site/local.zeek.
 
-@TEST-START-FILE local-2.6.bro
+@TEST-START-FILE local-3.1.zeek
 ##! Local site policy. Customize as appropriate.
 ##!
 ##! This file will not be overwritten when upgrading or reinstalling!
@@ -113,282 +118,3 @@
 # this adds the link-layer address for each connection endpoint to the conn.log file.
 # @load policy/protocols/conn/mac-logging
 @TEST-END-FILE
-
-@TEST-START-FILE local-2.5.bro
-##! Local site policy. Customize as appropriate.
-##!
-##! This file will not be overwritten when upgrading or reinstalling!
-
-# This script logs which scripts were loaded during each run.
-@load misc/loaded-scripts
-
-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
-# Estimate and log capture loss.
-@load misc/capture-loss
-
-# Enable logging of memory, packet and lag statistics.
-@load misc/stats
-
-# Load the scan detection script.
-@load misc/scan
-
-# Detect traceroute being run on the network. This could possibly cause
-# performance trouble when there are a lot of traceroutes on your network.
-# Enable cautiously.
-#@load misc/detect-traceroute
-
-# Generate notices when vulnerable versions of software are discovered.
-# The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more
-# information.
-@load frameworks/software/vulnerable
-
-# Detect software changing (e.g. attacker installing hacked SSHD).
-@load frameworks/software/version-changes
-
-# This adds signatures to detect cleartext forward and reverse windows shells.
-@load-sigs frameworks/signatures/detect-windows-shells
-
-# Load all of the scripts that detect software in various protocols.
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when
-# running on live traffic.  Enable it cautiously.
-#@load protocols/http/detect-webapps
-
-# This script detects DNS results pointing toward your Site::local_nets
-# where the name is not part of your local DNS zone and is being hosted
-# externally.  Requires that the Site::local_zones variable is defined.
-@load protocols/dns/detect-external-names
-
-# Script to detect various activity in FTP sessions.
-@load protocols/ftp/detect
-
-# Scripts that do asset tracking.
-@load protocols/conn/known-hosts
-@load protocols/conn/known-services
-@load protocols/ssl/known-certs
-
-# This script enables SSL/TLS certificate validation.
-@load protocols/ssl/validate-certs
-
-# This script prevents the logging of SSL CA certificates in x509.log
-@load protocols/ssl/log-hostcerts-only
-
-# Uncomment the following line to check each SSL certificate hash against the ICSI
-# certificate notary service; see http://notary.icsi.berkeley.edu .
-# @load protocols/ssl/notary
-
-# If you have libGeoIP support built in, do some geographic detections and
-# logging for SSH traffic.
-@load protocols/ssh/geo-data
-# Detect hosts doing SSH bruteforce attacks.
-@load protocols/ssh/detect-bruteforcing
-# Detect logins using "interesting" hostnames.
-@load protocols/ssh/interesting-hostnames
-
-# Detect SQL injection attacks.
-@load protocols/http/detect-sqli
-
-#### Network File Handling ####
-
-# Enable MD5 and SHA1 hashing for all files.
-@load frameworks/files/hash-all-files
-
-# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
-@load frameworks/files/detect-MHR
-
-# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-# this might impact performance a bit.
-# @load policy/protocols/ssl/heartbleed
-
-# Uncomment the following line to enable logging of connection VLANs. Enabling
-# this adds two VLAN fields to the conn.log file.
-# @load policy/protocols/conn/vlan-logging
-
-# Uncomment the following line to enable logging of link-layer addresses. Enabling
-# this adds the link-layer address for each connection endpoint to the conn.log file.
-# @load policy/protocols/conn/mac-logging
-
-# Uncomment the following line to enable the SMB analyzer.  The analyzer
-# is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
-@TEST-END-FILE
-
-@TEST-START-FILE local-2.4.bro
-##! Local site policy. Customize as appropriate. 
-##!
-##! This file will not be overwritten when upgrading or reinstalling!
-
-# This script logs which scripts were loaded during each run.
-@load misc/loaded-scripts
-
-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
-# Load the scan detection script.
-@load misc/scan
-
-# Detect traceroute being run on the network.  
-@load misc/detect-traceroute
-
-# Generate notices when vulnerable versions of software are discovered.
-# The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more 
-# information.
-@load frameworks/software/vulnerable
-
-# Detect software changing (e.g. attacker installing hacked SSHD).
-@load frameworks/software/version-changes
-
-# This adds signatures to detect cleartext forward and reverse windows shells.
-@load-sigs frameworks/signatures/detect-windows-shells
-
-# Load all of the scripts that detect software in various protocols.
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when 
-# running on live traffic.  Enable it cautiously.
-#@load protocols/http/detect-webapps
-
-# This script detects DNS results pointing toward your Site::local_nets 
-# where the name is not part of your local DNS zone and is being hosted 
-# externally.  Requires that the Site::local_zones variable is defined.
-@load protocols/dns/detect-external-names
-
-# Script to detect various activity in FTP sessions.
-@load protocols/ftp/detect
-
-# Scripts that do asset tracking.
-@load protocols/conn/known-hosts
-@load protocols/conn/known-services
-@load protocols/ssl/known-certs
-
-# This script enables SSL/TLS certificate validation.
-@load protocols/ssl/validate-certs
-
-# This script prevents the logging of SSL CA certificates in x509.log
-@load protocols/ssl/log-hostcerts-only
-
-# Uncomment the following line to check each SSL certificate hash against the ICSI
-# certificate notary service; see http://notary.icsi.berkeley.edu .
-# @load protocols/ssl/notary
-
-# If you have libGeoIP support built in, do some geographic detections and 
-# logging for SSH traffic.
-@load protocols/ssh/geo-data
-# Detect hosts doing SSH bruteforce attacks.
-@load protocols/ssh/detect-bruteforcing
-# Detect logins using "interesting" hostnames.
-@load protocols/ssh/interesting-hostnames
-
-# Detect SQL injection attacks.
-@load protocols/http/detect-sqli
-
-#### Network File Handling ####
-
-# Enable MD5 and SHA1 hashing for all files.
-@load frameworks/files/hash-all-files
-
-# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
-@load frameworks/files/detect-MHR
-
-# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-# this might impact performance a bit.
-# @load policy/protocols/ssl/heartbleed
-@TEST-END-FILE
-
-@TEST-START-FILE local-2.3.bro
-##! Local site policy. Customize as appropriate. 
-##!
-##! This file will not be overwritten when upgrading or reinstalling!
-
-# This script logs which scripts were loaded during each run.
-@load misc/loaded-scripts
-
-# Apply the default tuning scripts for common tuning settings.
-@load tuning/defaults
-
-# Load the scan detection script.
-@load misc/scan
-
-# Log some information about web applications being used by users 
-# on your network.
-@load misc/app-stats
-
-# Detect traceroute being run on the network.  
-@load misc/detect-traceroute
-
-# Generate notices when vulnerable versions of software are discovered.
-# The default is to only monitor software found in the address space defined
-# as "local".  Refer to the software framework's documentation for more 
-# information.
-@load frameworks/software/vulnerable
-
-# Detect software changing (e.g. attacker installing hacked SSHD).
-@load frameworks/software/version-changes
-
-# This adds signatures to detect cleartext forward and reverse windows shells.
-@load-sigs frameworks/signatures/detect-windows-shells
-
-# Load all of the scripts that detect software in various protocols.
-@load protocols/ftp/software
-@load protocols/smtp/software
-@load protocols/ssh/software
-@load protocols/http/software
-# The detect-webapps script could possibly cause performance trouble when 
-# running on live traffic.  Enable it cautiously.
-#@load protocols/http/detect-webapps
-
-# This script detects DNS results pointing toward your Site::local_nets 
-# where the name is not part of your local DNS zone and is being hosted 
-# externally.  Requires that the Site::local_zones variable is defined.
-@load protocols/dns/detect-external-names
-
-# Script to detect various activity in FTP sessions.
-@load protocols/ftp/detect
-
-# Scripts that do asset tracking.
-@load protocols/conn/known-hosts
-@load protocols/conn/known-services
-@load protocols/ssl/known-certs
-
-# This script enables SSL/TLS certificate validation.
-@load protocols/ssl/validate-certs
-
-# This script prevents the logging of SSL CA certificates in x509.log
-@load protocols/ssl/log-hostcerts-only
-
-# Uncomment the following line to check each SSL certificate hash against the ICSI
-# certificate notary service; see http://notary.icsi.berkeley.edu .
-# @load protocols/ssl/notary
-
-# If you have libGeoIP support built in, do some geographic detections and 
-# logging for SSH traffic.
-@load protocols/ssh/geo-data
-# Detect hosts doing SSH bruteforce attacks.
-@load protocols/ssh/detect-bruteforcing
-# Detect logins using "interesting" hostnames.
-@load protocols/ssh/interesting-hostnames
-
-# Detect SQL injection attacks.
-@load protocols/http/detect-sqli
-
-#### Network File Handling ####
-
-# Enable MD5 and SHA1 hashing for all files.
-@load frameworks/files/hash-all-files
-
-# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
-@load frameworks/files/detect-MHR
-
-# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-# this might impact performance a bit.
-# @load policy/protocols/ssl/heartbleed
-@TEST-END-FILE