From e5a589dbfe5fc4392543ac3ee1e1fb1da74380d5 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 16 Sep 2013 09:14:36 -0700
Subject: [PATCH 001/220] Very basic file-analyzer for x509 certificates.
 Mostly ripped from the ssl-analyzer and the topic/bernhard/x509 branch.

Simply prints information about the encountered certificates (I have
not yet my mind up, what I will log...).

Next step: extensions...
---
 scripts/base/files/x509/__load__.bro          |   1 +
 scripts/base/files/x509/main.bro              |  14 +
 scripts/base/init-bare.bro                    |  20 ++
 scripts/base/init-default.bro                 |   2 +-
 scripts/base/protocols/ssl/__load__.bro       |   1 +
 scripts/base/protocols/ssl/files.bro          |  48 +++
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |   8 +
 src/file_analysis/analyzer/CMakeLists.txt     |   1 +
 .../analyzer/x509/CMakeLists.txt              |  10 +
 src/file_analysis/analyzer/x509/Plugin.cc     |  10 +
 src/file_analysis/analyzer/x509/X509.cc       | 295 ++++++++++++++++++
 src/file_analysis/analyzer/x509/X509.h        |  38 +++
 src/file_analysis/analyzer/x509/events.bif    |   1 +
 src/file_analysis/analyzer/x509/types.bif     |   1 +
 14 files changed, 449 insertions(+), 1 deletion(-)
 create mode 100644 scripts/base/files/x509/__load__.bro
 create mode 100644 scripts/base/files/x509/main.bro
 create mode 100644 scripts/base/protocols/ssl/files.bro
 create mode 100644 src/file_analysis/analyzer/x509/CMakeLists.txt
 create mode 100644 src/file_analysis/analyzer/x509/Plugin.cc
 create mode 100644 src/file_analysis/analyzer/x509/X509.cc
 create mode 100644 src/file_analysis/analyzer/x509/X509.h
 create mode 100644 src/file_analysis/analyzer/x509/events.bif
 create mode 100644 src/file_analysis/analyzer/x509/types.bif

diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/files/x509/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
new file mode 100644
index 0000000000..205b8fbd25
--- /dev/null
+++ b/scripts/base/files/x509/main.bro
@@ -0,0 +1,14 @@
+
+@load base/frameworks/files
+
+module X509;
+
+export {
+	redef enum Log::ID += { LOG };
+}
+
+event x509_cert(f: fa_file, cert: X509::Certificate)
+	{
+	print cert;
+	}
+
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index fe3b84a93b..5d7914dc6b 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2721,6 +2721,26 @@ export {
 	};
 }
 
+module X509;
+export {
+	type X509::Certificate: record {
+		version: count;	##< Version number.
+		serial: string;	##< Serial number.
+		subject: string;	##< Subject.
+		issuer: string;	##< Issuer.
+		not_valid_before: time;	##< Timestamp before when certificate is not valid.
+		not_valid_after: time;	##< Timestamp after when certificate is not valid.
+		key_alg: string; ##< name of the key algorithm
+		sig_alg: string; ##< name of the signature algorithm
+		key_type: string &optional; ##< key-type, if key parseable by openssl (either rsa, dsa or ec)
+		key_length: count &optional; ##< key-length in bits  
+		exponent: string &optional; ##< exponent, if RSA-certificate
+		curve: string &optional; ##< curve, if EC-certificate
+		ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
+		path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
+	};
+}
+		
 module SOCKS;
 export {
 	## This record is for a SOCKS client or server to provide either a
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 202f8eaaab..c0fb29f081 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -57,6 +57,6 @@
 @load base/files/hash
 @load base/files/extract
 @load base/files/unified2
-
+@load base/files/x509
 
 @load base/misc/find-checksum-offloading
diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
index 5a8590f234..42287fb039 100644
--- a/scripts/base/protocols/ssl/__load__.bro
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -1,5 +1,6 @@
 @load ./consts
 @load ./main
 @load ./mozilla-ca-list
+@load ./files
 
 @load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
new file mode 100644
index 0000000000..7582a428ae
--- /dev/null
+++ b/scripts/base/protocols/ssl/files.bro
@@ -0,0 +1,48 @@
+@load ./main
+@load base/utils/conn-ids
+@load base/frameworks/files
+
+module SSL;
+
+export {
+	redef record Info += {
+		## An ordered vector of file unique IDs which contains
+		## all the certificates sent over the connection
+		fuids: vector of string &log &default=string_vec();
+	};
+
+	## Default file handle provider for SSL.
+	global get_file_handle: function(c: connection, is_orig: bool): string;
+
+	## Default file describer for SSL.
+	global describe_file: function(f: fa_file): string;
+}
+
+function get_file_handle(c: connection, is_orig: bool): string
+	{
+	return cat(Analyzer::ANALYZER_SMTP, c$start_time);
+	}
+
+function describe_file(f: fa_file): string
+	{
+	# This shouldn't be needed, but just in case...
+	if ( f$source != "SSL" )
+		return "";
+
+	return "";
+	}
+
+event bro_init() &priority=5
+	{
+	Files::register_protocol(Analyzer::ANALYZER_SSL, 
+	                         [$get_file_handle = SSL::get_file_handle,
+	                          $describe        = SSL::describe_file]);
+	}
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+	{
+	if ( c?$ssl )
+		c$ssl$fuids[|c$ssl$fuids|] = f$id;
+
+	Files::add_analyzer(f, Files::ANALYZER_X509);
+	}
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 3d9564eaab..4cd7599ef7 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -10,6 +10,8 @@
 
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+
+#include "file_analysis/Manager.h"
 %}
 
 
@@ -253,6 +255,11 @@ refine connection SSL_Conn += {
 				{
 				const bytestring& cert = (*certificates)[i];
 				const uint8* data = cert.data();
+				
+				file_mgr->DataIn(reinterpret_cast<const u_char*>(data), cert.length(), 
+						bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), false);
+				file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn());
+
 				X509* pTemp = d2i_X509_binpac(NULL, &data, cert.length());
 				if ( ! pTemp )
 					{
@@ -261,6 +268,7 @@ refine connection SSL_Conn += {
 					return false;
 					}
 
+
 				RecordVal* pX509Cert = new RecordVal(x509_type);
 				char tmp[256];
 				BIO *bio = BIO_new(BIO_s_mem());
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index 1e19b7bd11..ede63dbd1b 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -2,3 +2,4 @@ add_subdirectory(data_event)
 add_subdirectory(extract)
 add_subdirectory(hash)
 add_subdirectory(unified2)
+add_subdirectory(x509)
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
new file mode 100644
index 0000000000..759a01b55c
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro X509)
+bro_plugin_cc(X509.cc Plugin.cc ../../Analyzer.cc)
+bro_plugin_bif(events.bif types.bif)
+bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
new file mode 100644
index 0000000000..1e76e3fdb7
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -0,0 +1,10 @@
+#include "plugin/Plugin.h"
+
+#include "X509.h"
+
+BRO_PLUGIN_BEGIN(Bro, X509)
+	BRO_PLUGIN_DESCRIPTION("Parse X509 Certificate");
+	BRO_PLUGIN_FILE_ANALYZER("X509", X509);
+	BRO_PLUGIN_BIF_FILE(events);
+	BRO_PLUGIN_BIF_FILE(types);	
+BRO_PLUGIN_END
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
new file mode 100644
index 0000000000..78d746ac9b
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -0,0 +1,295 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "X509.h"
+#include "Event.h"
+
+#include "events.bif.h"
+#include "types.bif.h"
+
+#include "file_analysis/Manager.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+
+using namespace file_analysis;
+
+file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
+    : file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
+	{
+	cert_data.clear();
+	}
+
+bool file_analysis::X509::DeliverStream(const u_char* data, uint64 len)
+	{
+	// just add it to the data we have so far, since we cannot do anything else anyways...
+	cert_data.append(reinterpret_cast<const char*>(data), len);
+	return true;
+	}
+
+bool file_analysis::X509::Undelivered(uint64 offset, uint64 len)
+	{
+	return false;
+	}
+
+bool file_analysis::X509::EndOfFile()
+	{
+	// ok, now we can try to parse the certificate with openssl. Should
+	// be rather straightforward...
+	const unsigned char* cert_char = reinterpret_cast<const unsigned char*>(cert_data.data());
+	::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size());
+	if ( !ssl_cert )
+		{
+		reporter->Error("Could not parse X509 certificate");
+		return false;
+		}
+
+	char buf[256]; // we need a buffer for some of the openssl functions
+	memset(buf, 0, 256);	
+	
+	RecordVal* pX509Cert = new RecordVal(BifType::Record::X509::Certificate);
+	BIO *bio = BIO_new(BIO_s_mem());
+
+	pX509Cert->Assign(0, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
+	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
+	int len = BIO_read(bio, &(*buf), sizeof buf);
+	pX509Cert->Assign(1, new StringVal(len, buf));
+
+	X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
+	len = BIO_gets(bio, &(*buf), sizeof buf);
+	pX509Cert->Assign(2, new StringVal(len, buf));
+	X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
+	len = BIO_gets(bio, &(*buf), sizeof buf);
+	pX509Cert->Assign(3, new StringVal(len, buf));
+	BIO_free(bio);
+
+	pX509Cert->Assign(4, new Val(get_time_from_asn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
+
+	// we only read 255 bytes because byte 256 is always 0.
+	// if the string is longer than 255, that will be our null-termination,
+	// otherwhise i2t does null-terminate.
+	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->cert_info->key->algor->algorithm) ) 
+		buf[0] = 0;
+	pX509Cert->Assign(6, new StringVal(buf));
+
+	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) ) 
+		buf[0] = 0;
+	pX509Cert->Assign(7, new StringVal(buf));
+
+	// Things we can do when we have the key...
+	EVP_PKEY *pkey = X509_extract_key(ssl_cert);
+	if ( pkey != NULL ) 
+		{
+		if ( pkey->type == EVP_PKEY_DSA ) 
+			{
+			pX509Cert->Assign(8, new StringVal("dsa"));
+			}
+		else if ( pkey->type == EVP_PKEY_RSA ) 
+			{
+			pX509Cert->Assign(8, new StringVal("rsa"));
+			char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
+			if ( exponent != NULL ) 
+				{
+				pX509Cert->Assign(10, new StringVal(exponent));
+				OPENSSL_free(exponent);
+				exponent = NULL;
+				}
+			}
+#ifndef OPENSSL_NO_EC
+		else if ( pkey->type == EVP_PKEY_EC )
+			{
+			pX509Cert->Assign(8, new StringVal("dsa"));
+			pX509Cert->Assign(11, key_curve(pkey));
+			}
+#endif
+
+		unsigned int length = key_length(pkey);
+		if ( length > 0 ) 
+			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
+		}
+
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Cert);
+
+	mgr.QueueEvent(x509_cert, vl);
+	
+	return false;
+	}
+
+StringVal* file_analysis::X509::key_curve(EVP_PKEY *key)
+	{
+	assert(key != NULL);
+
+#ifdef OPENSSL_NO_EC
+	// well, we do not have EC-Support...
+	return NULL;
+#else 
+	if ( key->type != EVP_PKEY_EC ) {
+		// no EC-key - no curve name
+		return NULL;
+	}
+
+	const EC_GROUP *group;
+	int nid;
+	if ( (group = EC_KEY_get0_group(key->pkey.ec)) == NULL) 
+		// I guess we could not parse this
+		return NULL;
+
+	nid = EC_GROUP_get_curve_name(group);
+	if ( nid == 0 ) 
+		// and an invalid nid...
+		return NULL;
+
+	const char * curve_name = OBJ_nid2sn(nid);
+	if ( curve_name == NULL ) 
+		return NULL;
+
+	return new StringVal(curve_name);
+#endif
+	}
+
+unsigned int file_analysis::X509::key_length(EVP_PKEY *key) 
+	{
+	assert(key != NULL);
+	unsigned int length;
+
+	switch(key->type) {
+    	case EVP_PKEY_RSA:
+      		length = BN_num_bits(key->pkey.rsa->n);
+      		break;
+    	case EVP_PKEY_DSA:
+      		length = BN_num_bits(key->pkey.dsa->p);
+      		break;
+#ifndef OPENSSL_NO_EC
+		case EVP_PKEY_EC:
+		{
+		const EC_GROUP *group;       
+		BIGNUM* ec_order;
+		ec_order = BN_new();
+		if ( !ec_order ) 
+			// could not malloc bignum?
+			return 0;
+
+		if ( (group = EC_KEY_get0_group(key->pkey.ec)) == NULL) 
+			// unknown ex-group
+			return 0;
+
+		if (!EC_GROUP_get_order(group, ec_order, NULL)) 
+			// could not get ec-group-order
+			return 0;
+
+		length = BN_num_bits(ec_order);
+		BN_free(ec_order);
+		break;
+		}
+#endif
+	default:
+		return 0; // unknown public key type
+	}
+
+	return length;
+	}
+
+double file_analysis::X509::get_time_from_asn1(const ASN1_TIME * atime)
+	{
+	time_t lResult = 0;
+
+	char lBuffer[24];
+	char * pBuffer = lBuffer;
+
+	size_t lTimeLength = atime->length;
+	char * pString = (char *) atime->data;
+
+	if ( atime->type == V_ASN1_UTCTIME )
+		{
+		if ( lTimeLength < 11 || lTimeLength > 17 )
+			return 0;
+
+		memcpy(pBuffer, pString, 10);
+		pBuffer += 10;
+		pString += 10;
+		}
+	else
+		{
+		if ( lTimeLength < 13 )
+			return 0;
+
+		memcpy(pBuffer, pString, 12);
+		pBuffer += 12;
+		pString += 12;
+		}
+
+	if ((*pString == 'Z') || (*pString == '-') || (*pString == '+'))
+		{
+		*(pBuffer++) = '0';
+		*(pBuffer++) = '0';
+		}
+	else
+		{
+		*(pBuffer++) = *(pString++);
+		*(pBuffer++) = *(pString++);
+
+		// Skip any fractional seconds...
+		if (*pString == '.')
+			{
+			pString++;
+			while ((*pString >= '0') && (*pString <= '9'))
+				pString++;
+			}
+		}
+
+	*(pBuffer++) = 'Z';
+	*(pBuffer++) = '\0';
+
+	time_t lSecondsFromUTC;
+
+	if ( *pString == 'Z' )
+		lSecondsFromUTC = 0;
+
+	else
+		{
+		if ((*pString != '+') && (pString[5] != '-'))
+			return 0;
+
+		lSecondsFromUTC = ((pString[1]-'0') * 10 + (pString[2]-'0')) * 60;
+		lSecondsFromUTC += (pString[3]-'0') * 10 + (pString[4]-'0');
+
+		if (*pString == '-')
+			lSecondsFromUTC = -lSecondsFromUTC;
+		}
+
+	tm lTime;
+	lTime.tm_sec  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	lTime.tm_min  = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+	lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
+	lTime.tm_mon  = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
+	lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
+
+	if ( lTime.tm_year < 50 )
+		lTime.tm_year += 100; // RFC 2459
+
+	lTime.tm_wday = 0;
+	lTime.tm_yday = 0;
+	lTime.tm_isdst = 0;  // No DST adjustment requested
+
+	lResult = mktime(&lTime);
+
+	if ( lResult )
+		{
+		if ( 0 != lTime.tm_isdst )
+			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+		lResult += lSecondsFromUTC;
+		}
+	else
+		lResult = 0;
+
+	return lResult;
+}
+
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
new file mode 100644
index 0000000000..ce74190b69
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -0,0 +1,38 @@
+#ifndef FILE_ANALYSIS_X509_H
+#define FILE_ANALYSIS_X509_H
+
+#include <string>
+
+#include "Val.h"
+#include "../File.h"
+#include "Analyzer.h"
+
+#include <openssl/asn1.h>
+
+namespace file_analysis {
+
+class X509 : public file_analysis::Analyzer {
+public:
+	//~X509();
+
+	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
+		{ return new X509(args, file); }
+
+	virtual bool DeliverStream(const u_char* data, uint64 len);
+	virtual bool Undelivered(uint64 offset, uint64 len);	
+	virtual bool EndOfFile();
+
+protected:
+	X509(RecordVal* args, File* file);
+
+private:
+	static double get_time_from_asn1(const ASN1_TIME * atime);
+	static StringVal* key_curve(EVP_PKEY *key);
+	static unsigned int key_length(EVP_PKEY *key);
+
+	std::string cert_data;
+};
+
+}
+
+#endif
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
new file mode 100644
index 0000000000..3c3049559d
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -0,0 +1 @@
+event x509_cert%(f: fa_file, cert: X509::Certificate%);
diff --git a/src/file_analysis/analyzer/x509/types.bif b/src/file_analysis/analyzer/x509/types.bif
new file mode 100644
index 0000000000..9e4fd48420
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/types.bif
@@ -0,0 +1 @@
+type X509::Certificate: record;

From df552ca87d842ca66a9bd234f0feea2ac8174929 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 19 Sep 2013 14:35:11 -0700
Subject: [PATCH 002/220] parse out extension. One event for general extensions
 (just returns the openssl-parsed string-value), one event for
 basicconstraints (is a certificate a CA or not) and one event for
 subject-alternative-names (only DNS parts).

---
 scripts/base/files/x509/main.bro           |  15 ++
 scripts/base/init-bare.bro                 |  22 ++-
 src/analyzer/protocol/ssl/SSL.h            |   2 +-
 src/analyzer/protocol/ssl/events.bif       |   2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac |  28 ----
 src/file_analysis/analyzer/x509/X509.cc    | 153 ++++++++++++++++++++-
 src/file_analysis/analyzer/x509/X509.h     |   6 +
 src/file_analysis/analyzer/x509/events.bif |   3 +
 src/file_analysis/analyzer/x509/types.bif  |   4 +
 9 files changed, 202 insertions(+), 33 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 205b8fbd25..458a389934 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -12,3 +12,18 @@ event x509_cert(f: fa_file, cert: X509::Certificate)
 	print cert;
 	}
 
+event x509_extension(f: fa_file, ext: X509::Extension)
+{
+print ext;
+}
+
+event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints)
+{
+print ext;
+}
+
+event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) 
+{
+print ext;
+}
+
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 5d7914dc6b..c8e2e52b8a 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2736,9 +2736,27 @@ export {
 		key_length: count &optional; ##< key-length in bits  
 		exponent: string &optional; ##< exponent, if RSA-certificate
 		curve: string &optional; ##< curve, if EC-certificate
-		ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
-		path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
+		#ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
+		#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
 	};
+
+	type X509::Extension: record {
+		name: string; ##< long name of extension. oid if name not known
+		short_name: string &optional; ##< short name of extension if known.
+		oid: string; ##< oid of extension
+		critical: bool; ##< true if extension is critical
+		value: string; ##< extension content parsed to string for known extensions. Raw data otherwise.
+	};
+
+	type X509::BasicConstraints: record {
+		ca: bool; ##< CA flag set?
+		path_len: count &optional;
+	};
+	
+	type X509::SubjectAlternativeName: record {
+		names: vector of string;
+	};
+
 }
 		
 module SOCKS;
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index 6423d1b155..5749066780 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -28,7 +28,7 @@ public:
 		{
 		return ( ssl_client_hello || ssl_server_hello ||
 			ssl_established || ssl_extension || ssl_alert ||
-			x509_certificate || x509_extension || x509_error );
+			x509_certificate || x509_error );
 		}
 
 protected:
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 3d0c7e9d6a..b7586561fc 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -176,7 +176,7 @@ event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: cou
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_server_hello x509_certificate x509_error  x509_verify
-event x509_extension%(c: connection, is_orig: bool, data: string%);
+#event x509_extension%(c: connection, is_orig: bool, data: string%);
 
 ## Generated when errors occur during parsing an X509 certificate.
 ##
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 4cd7599ef7..43e2ac5c73 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -296,34 +296,6 @@ refine connection SSL_Conn += {
 							i, certificates->size(),
 							der_cert);
 
-				// Are there any X509 extensions?
-				//printf("Number of x509 extensions: %d\n", X509_get_ext_count(pTemp));
-				if ( x509_extension && X509_get_ext_count(pTemp) > 0 )
-					{
-					int num_ext = X509_get_ext_count(pTemp);
-					for ( int k = 0; k < num_ext; ++k )
-						{
-						unsigned char *pBuffer = 0;
-						int length = 0;
-
-						X509_EXTENSION* ex = X509_get_ext(pTemp, k);
-						if (ex)
-							{
-							ASN1_STRING *pString = X509_EXTENSION_get_data(ex);
-							length = ASN1_STRING_to_UTF8(&pBuffer, pString);
-							//i2t_ASN1_OBJECT(&pBuffer, length, obj)
-							// printf("extension length: %d\n", length);
-							// -1 indicates an error.
-							if ( length >= 0 )
-								{
-								StringVal* value = new StringVal(length, (char*)pBuffer);
-								BifEvent::generate_x509_extension(bro_analyzer(),
-											bro_analyzer()->Conn(), ${rec.is_orig}, value);
-								}
-							OPENSSL_free(pBuffer);
-							}
-						}
-					}
 				X509_free(pTemp);
 				}
 			}
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 78d746ac9b..3d7871be9a 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -47,6 +47,27 @@ bool file_analysis::X509::EndOfFile()
 		return false;
 		}
 
+	ParseCertificate(ssl_cert);
+
+	// after parsing the certificate - parse the extensions...
+
+	int num_ext = X509_get_ext_count(ssl_cert);
+	for ( int k = 0; k < num_ext; ++k ) 
+		{
+		X509_EXTENSION* ex = X509_get_ext(ssl_cert, k);
+		if ( !ex )
+			continue;
+
+		ParseExtension(ex);
+		}
+	
+	X509_free(ssl_cert);
+
+	return false;
+	}
+
+void file_analysis::X509::ParseCertificate(::X509* ssl_cert) 
+	{
 	char buf[256]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, 256);	
 	
@@ -117,8 +138,138 @@ bool file_analysis::X509::EndOfFile()
 	vl->append(pX509Cert);
 
 	mgr.QueueEvent(x509_cert, vl);
+	}
+
+void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) 
+	{
+	char name[256];
+	char oid[256];
+
+	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+	OBJ_obj2txt(name, 255, ext_asn, 0);
+	OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+	int critical = 0;
+	if ( X509_EXTENSION_get_critical(ex) != 0 )
+		critical = 1;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	if(!X509V3_EXT_print(bio, ex, 0, 0))
+		M_ASN1_OCTET_STRING_print(bio,ex->value);
 	
-	return false;
+	BIO_flush(bio);
+	int length = BIO_pending(bio);
+	char *buffer = new char[length];
+	BIO_read(bio, (void*)buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+	delete(buffer);
+	BIO_free_all(bio);
+
+	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);						
+	pX509Ext->Assign(0, new StringVal(name));
+	if ( short_name and strlen(short_name) > 0 ) 
+		pX509Ext->Assign(1, new StringVal(short_name));
+	pX509Ext->Assign(2, new StringVal(oid));
+	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+	pX509Ext->Assign(4, ext_val);
+	
+	// send off generic extension event
+	//
+	// and then look if we have a specialized event for the extension we just
+	// parsed. And if we have it, we send the specialized event on top of the
+	// generic event that we just had. I know, that is... kind of not nice, 
+	// but I am not sure if there is a better way to do it...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Ext);
+
+	mgr.QueueEvent(x509_extension, vl);
+
+
+	// look if we have a specialized handler for this event...
+	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) 
+		ParseBasicConstraints(ex);
+	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
+		ParseSAN(ex);
+
+	
+
+	}
+void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) 
+	{
+	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
+	
+	RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
+	BASIC_CONSTRAINTS *constr = (BASIC_CONSTRAINTS *) X509V3_EXT_d2i(ex);
+	if ( !constr ) 
+		{
+		reporter->Error("Certificate with invalid BasicConstraint");
+		}
+	else 	
+		{
+		pBasicConstraint->Assign(0, new Val(constr->ca ? 1 : 0, TYPE_BOOL));
+		if ( constr->pathlen ) {
+			pBasicConstraint->Assign(1, new Val((int32_t) ASN1_INTEGER_get(constr->pathlen), TYPE_COUNT));
+		}
+		val_list* vl = new val_list();
+		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(pBasicConstraint);
+
+		mgr.QueueEvent(x509_ext_basic_constraints, vl);
+
+		}
+		
+	}
+
+void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) 
+	{
+	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
+
+	GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext);
+	if ( !altname )
+		{
+		reporter->Error("could not parse subject alternative names");
+		return;
+		}
+
+	VectorVal* names = new VectorVal(internal_type("string_vec")->AsVectorType());
+
+	int j = 0;
+	for ( int i = 0; i < sk_GENERAL_NAME_num(altname); i++ ) 
+		{
+		GENERAL_NAME *gen = sk_GENERAL_NAME_value(altname, i);
+		assert(gen);
+
+		if ( gen->type == GEN_DNS )
+			{
+			if (ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING) 
+				{
+				reporter->Error("DNS-field does not contain an IA5String");
+				continue;
+				}
+			const char* name = (const char*) ASN1_STRING_data(gen->d.ia5);
+			StringVal* bs = new StringVal(name);
+			names->Assign(j, bs);
+			j++;
+			}
+		else 
+			{
+			// we should perhaps sometime parse out ip-addresses
+			reporter->Error("Subject alternative name contained non-dns fields");
+			continue;
+			}
+		}
+
+		RecordVal* pSan = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
+		pSan->Assign(0, names);
+
+		val_list* vl = new val_list();
+		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(pSan);
+
+		mgr.QueueEvent(x509_ext_basic_constraints, vl);
 	}
 
 StringVal* file_analysis::X509::key_curve(EVP_PKEY *key)
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index ce74190b69..cc0131afac 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -7,6 +7,7 @@
 #include "../File.h"
 #include "Analyzer.h"
 
+#include <openssl/x509.h>
 #include <openssl/asn1.h>
 
 namespace file_analysis {
@@ -30,6 +31,11 @@ private:
 	static StringVal* key_curve(EVP_PKEY *key);
 	static unsigned int key_length(EVP_PKEY *key);
 
+	void ParseCertificate(::X509* ssl_cert);
+	void ParseExtension(X509_EXTENSION* ex);
+	void ParseBasicConstraints(X509_EXTENSION* ex);
+	void ParseSAN(X509_EXTENSION* ex);
+
 	std::string cert_data;
 };
 
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 3c3049559d..148d09ec00 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1 +1,4 @@
 event x509_cert%(f: fa_file, cert: X509::Certificate%);
+event x509_extension%(f: fa_file, ext: X509::Extension%);
+event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
+event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
diff --git a/src/file_analysis/analyzer/x509/types.bif b/src/file_analysis/analyzer/x509/types.bif
index 9e4fd48420..49a915c7fc 100644
--- a/src/file_analysis/analyzer/x509/types.bif
+++ b/src/file_analysis/analyzer/x509/types.bif
@@ -1 +1,5 @@
 type X509::Certificate: record;
+type X509::Extension: record;
+type X509::BasicConstraints: record;
+type X509::SubjectAlternativeName: record;
+

From 2b87499fd96ea28cf66f999ffd97b94f5596a7b2 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 1 Oct 2013 16:20:55 -0700
Subject: [PATCH 003/220] rip out x509 code from ssl analyzer. Note that since
 at the moment the file analyzer does not yet re-populate the info record that
 means quite a lot of information is simply not available.

---
 scripts/base/protocols/ssl/main.bro        |  43 -------
 src/analyzer/protocol/ssl/CMakeLists.txt   |   1 -
 src/analyzer/protocol/ssl/Plugin.cc        |   1 -
 src/analyzer/protocol/ssl/SSL.h            |   3 +-
 src/analyzer/protocol/ssl/events.bif       |  73 +-----------
 src/analyzer/protocol/ssl/functions.bif    | 132 ---------------------
 src/analyzer/protocol/ssl/ssl-analyzer.pac |  57 +--------
 7 files changed, 12 insertions(+), 298 deletions(-)
 delete mode 100644 src/analyzer/protocol/ssl/functions.bif

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 2381b356e4..1b487ef4bf 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -168,49 +168,6 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, session
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=5
-	{
-	set_session(c);
-
-	# We aren't doing anything with client certificates yet.
-	if ( is_orig )
-		{
-		if ( chain_idx == 0 )
-			{
-			# Save the primary cert.
-			c$ssl$client_cert = der_cert;
-
-			# Also save other certificate information about the primary cert.
-			c$ssl$client_subject = cert$subject;
-			c$ssl$client_issuer_subject = cert$issuer;
-			}
-		else
-			{
-			# Otherwise, add it to the cert validation chain.
-			c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = der_cert;
-			}
-		}
-	else
-		{
-		if ( chain_idx == 0 )
-			{
-			# Save the primary cert.
-			c$ssl$cert = der_cert;
-
-			# Also save other certificate information about the primary cert.
-			c$ssl$subject = cert$subject;
-			c$ssl$issuer_subject = cert$issuer;
-			c$ssl$not_valid_before = cert$not_valid_before;
-			c$ssl$not_valid_after = cert$not_valid_after;
-			}
-		else
-			{
-			# Otherwise, add it to the cert validation chain.
-			c$ssl$cert_chain[|c$ssl$cert_chain|] = der_cert;
-			}
-		}
-	}
-
 event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
 	{
 	set_session(c);
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index f1838e5f3b..2591c5dfec 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -6,6 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro SSL)
 bro_plugin_cc(SSL.cc Plugin.cc)
 bro_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
 bro_plugin_pac(ssl.pac ssl-analyzer.pac ssl-protocol.pac ssl-defs.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ssl/Plugin.cc b/src/analyzer/protocol/ssl/Plugin.cc
index c63be864f8..c1783b357d 100644
--- a/src/analyzer/protocol/ssl/Plugin.cc
+++ b/src/analyzer/protocol/ssl/Plugin.cc
@@ -7,5 +7,4 @@ BRO_PLUGIN_BEGIN(Bro, SSL)
 	BRO_PLUGIN_DESCRIPTION("SSL analyzer");
 	BRO_PLUGIN_ANALYZER("SSL", ssl::SSL_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
-	BRO_PLUGIN_BIF_FILE(functions);
 BRO_PLUGIN_END
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index 5749066780..f674d64fed 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -27,8 +27,7 @@ public:
 	static bool Available()
 		{
 		return ( ssl_client_hello || ssl_server_hello ||
-			ssl_established || ssl_extension || ssl_alert ||
-			x509_certificate || x509_error );
+			ssl_established || ssl_extension || ssl_alert );
 		}
 
 protected:
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index b7586561fc..aff5f4798c 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -22,7 +22,7 @@
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
 ## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -52,7 +52,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
 ##              standardized as part of the SSL/TLS protocol.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -71,7 +71,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, sessio
 ## val: The raw extension value that was sent in the message.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
@@ -86,7 +86,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## c: The connection.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello  ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake
 event ssl_established%(c: connection%);
 
 ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
@@ -109,7 +109,7 @@ event ssl_established%(c: connection%);
 ##       defined as part of the SSL/TLS protocol.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake
 event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 
 ## Generated for SSL/TLS handshake messages that are a part of the
@@ -130,66 +130,5 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ## ticket: The raw ticket data.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    x509_certificate x509_error x509_extension ssl_alert
+##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
-
-## Generated for X509 certificates seen in SSL/TLS connections. During the
-## initial SSL/TLS handshake, certificates are exchanged in the clear. Bro
-## raises this event for each certificate seen (including both a site's primary
-## cert, and further certs sent as part of the validation chain).
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
-## about the X.509 format.
-##
-## c: The connection.
-##
-## is_orig: True if event is raised for originator side of the connection.
-##
-## cert: The parsed certificate.
-##
-## chain_idx: The index in the validation chain that this cert has. Index zero
-##            indicates an endpoint's primary cert, while higher indices
-##            indicate the place in the validation chain (which has length
-##            *chain_len*).
-##
-## chain_len: The total length of the validation chain that this cert is part
-##            of.
-##
-## der_cert: The complete cert encoded in `DER
-##           <http://en.wikipedia.org/wiki/Distinguished_Encoding_Rules>`__
-##           format.
-##
-## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_server_hello  x509_error x509_extension x509_verify
-event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string%);
-
-## Generated for X509 extensions seen in a certificate.
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
-## about the X.509 format.
-##
-## c: The connection.
-##
-## is_orig: True if event is raised for originator side of the connection.
-##
-## data: The raw data associated with the extension.
-##
-## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_server_hello x509_certificate x509_error  x509_verify
-#event x509_extension%(c: connection, is_orig: bool, data: string%);
-
-## Generated when errors occur during parsing an X509 certificate.
-##
-## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
-## about the X.509 format.
-##
-## c: The connection.
-##
-## is_orig: True if event is raised for originator side of the connection.
-##
-## err: An error code describing what went wrong. :bro:id:`SSL::x509_errors`
-##      maps error codes to a textual description.
-##
-## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_server_hello x509_certificate  x509_extension x509_err2str x509_verify
-event x509_error%(c: connection, is_orig: bool, err: count%);
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
deleted file mode 100644
index f2d4861007..0000000000
--- a/src/analyzer/protocol/ssl/functions.bif
+++ /dev/null
@@ -1,132 +0,0 @@
-
-%%{
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
-#include <openssl/x509_vfy.h>
-
-// This is the indexed map of X509 certificate stores.
-static map<Val*, X509_STORE*> x509_stores;
-
-// ### NOTE: while d2i_X509 does not take a const u_char** pointer,
-// here we assume d2i_X509 does not write to <data>, so it is safe to
-// convert data to a non-const pointer.  Could some X509 guru verify
-// this?
-
-X509* d2i_X509_(X509** px, const u_char** in, int len)
-	{
-#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
-	  return d2i_X509(px, in, len);
-#else
-	  return d2i_X509(px, (u_char**)in, len);
-#endif
-	}
-
-%%}
-
-
-## Verifies a certificate.
-##
-## der_cert: The X.509 certificate in DER format.
-##
-## cert_stack: Specifies a certificate chain to validate against, with index 0
-##             typically being the root CA. Bro uses the Mozilla root CA list
-##             by default.
-##
-## root_certs: A list of additional root certificates that extends
-##             *cert_stack*.
-##
-## Returns: A status code of the verification which can be converted into an
-##          ASCII string via :bro:id:`x509_err2str`.
-##
-## .. bro:see:: x509_err2str
-function x509_verify%(der_cert: string, cert_stack: string_vec, root_certs: table_string_of_string%): count
-	%{
-	X509_STORE* ctx = 0;
-	int i = 0;
-
-	// If this certificate store was built previously, just reuse the old one.
-	if ( x509_stores.count(root_certs) > 0 )
-		ctx = x509_stores[root_certs];
-
-	if ( ! ctx ) // lookup to see if we have this one built already!
-		{
-		ctx = X509_STORE_new();
-		TableVal* root_certs2 = root_certs->AsTableVal();
-		ListVal* idxs = root_certs2->ConvertToPureList();
-
-		// Build the validation store
-		for ( i = 0; i < idxs->Length(); ++i )
-			{
-			Val* key = idxs->Index(i);
-			StringVal *sv = root_certs2->Lookup(key)->AsStringVal();
-			const uint8* data = sv->Bytes();
-			X509* x = d2i_X509_(NULL, &data, sv->Len());
-			if ( ! x )
-				{
-				builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-				return new Val((uint64) ERR_get_error(), TYPE_COUNT);
-				}
-			X509_STORE_add_cert(ctx, x);
-			}
-		delete idxs;
-
-		// Save the newly constructed certificate store into the cacheing map.
-		x509_stores[root_certs] = ctx;
-		}
-
-	const uint8 *cert_data = der_cert->Bytes();
-	X509* cert = d2i_X509_(NULL, &cert_data, der_cert->Len());
-	if ( ! cert )
-		{
-		builtin_error(fmt("Certificate error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
-		}
-
-	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
-	if ( ! untrusted_certs )
-		{
-		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
-		}
-
-	VectorVal *cert_stack_vec = cert_stack->AsVectorVal();
-	for ( i = 0; i < (int) cert_stack_vec->Size(); ++i )
-		{
-		StringVal *sv = cert_stack_vec->Lookup(i)->AsStringVal();
-		const uint8 *data = sv->Bytes();
-		X509* x = d2i_X509_(NULL, &data, sv->Len());
-		if ( ! x )
-			{
-			X509_free(cert);
-			sk_X509_pop_free(untrusted_certs, X509_free);
-			builtin_error(fmt("Untrusted certificate stack creation error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-			return new Val((uint64) ERR_get_error(), TYPE_COUNT);
-			}
-		sk_X509_push(untrusted_certs, x);
-		}
-
-	X509_STORE_CTX csc;
-	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
-
-	int result = X509_verify_cert(&csc);
-	X509_STORE_CTX_cleanup(&csc);
-
-	if ( untrusted_certs )
-		sk_X509_pop_free(untrusted_certs, X509_free);
-	X509_free(cert);
-
-	return new Val((uint64) csc.error, TYPE_COUNT);
-	%}
-
-## Converts a certificate verification error code into an ASCII string.
-##
-## err_num: The error code.
-##
-## Returns: A string representation of *err_num*.
-##
-## .. bro:see:: x509_verify
-function x509_err2str%(err_num: count%): string
-	%{
-	return new StringVal(X509_verify_cert_error_string(err_num));
-	%}
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 43e2ac5c73..4bf1e27d64 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -8,9 +8,6 @@
 
 #include "util.h"
 
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
-
 #include "file_analysis/Manager.h"
 %}
 
@@ -247,57 +244,13 @@ refine connection SSL_Conn += {
 		if ( certificates->size() == 0 )
 			return true;
 
-		if ( x509_certificate )
+		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
-			STACK_OF(X509)* untrusted_certs = 0;
+			const bytestring& cert = (*certificates)[i];
 
-			for ( unsigned int i = 0; i < certificates->size(); ++i )
-				{
-				const bytestring& cert = (*certificates)[i];
-				const uint8* data = cert.data();
-				
-				file_mgr->DataIn(reinterpret_cast<const u_char*>(data), cert.length(), 
-						bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), false);
-				file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn());
-
-				X509* pTemp = d2i_X509_binpac(NULL, &data, cert.length());
-				if ( ! pTemp )
-					{
-					BifEvent::generate_x509_error(bro_analyzer(), bro_analyzer()->Conn(),
-					                              ${rec.is_orig}, ERR_get_error());
-					return false;
-					}
-
-
-				RecordVal* pX509Cert = new RecordVal(x509_type);
-				char tmp[256];
-				BIO *bio = BIO_new(BIO_s_mem());
-
-				pX509Cert->Assign(0, new Val((uint64) X509_get_version(pTemp), TYPE_COUNT));
-				i2a_ASN1_INTEGER(bio, X509_get_serialNumber(pTemp));
-				int len = BIO_read(bio, &(*tmp), sizeof tmp);
-				pX509Cert->Assign(1, new StringVal(len, tmp));
-
-				X509_NAME_print_ex(bio, X509_get_subject_name(pTemp), 0, XN_FLAG_RFC2253);
-				len = BIO_gets(bio, &(*tmp), sizeof tmp);
-				pX509Cert->Assign(2, new StringVal(len, tmp));
-				X509_NAME_print_ex(bio, X509_get_issuer_name(pTemp), 0, XN_FLAG_RFC2253);
-				len = BIO_gets(bio, &(*tmp), sizeof tmp);
-				pX509Cert->Assign(3, new StringVal(len, tmp));
-				BIO_free(bio);
-
-				pX509Cert->Assign(4, new Val(get_time_from_asn1(X509_get_notBefore(pTemp)), TYPE_TIME));
-				pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notAfter(pTemp)), TYPE_TIME));
-				StringVal* der_cert = new StringVal(cert.length(), (const char*) cert.data());
-
-				BifEvent::generate_x509_certificate(bro_analyzer(), bro_analyzer()->Conn(),
-							${rec.is_orig},
-							pX509Cert,
-							i, certificates->size(),
-							der_cert);
-
-				X509_free(pTemp);
-				}
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(), 
+					bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), ${rec.is_orig});
+			file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn());
 			}
 		return true;
 		%}

From 5b3573394edbcf6c8926e84c21d84c13faa412e7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 24 Jan 2014 15:51:58 -0600
Subject: [PATCH 004/220] Improve TCP FIN retransmission handling.

In the case multiple FIN packets are seen from a TCP endpoint (e.g.
when one is retransmitted), only the first counted towards a byte in the
sequence space.  This could cause a subsequent FIN packet to induce an
incorrect wrap around in the sequence numbers (e.g.  the retransmitted
FIN packet now is one sequence number behind the the first) and
misleadingly large connection sizes.  The change is to always treat a
FIN packet as counting one byte in to the sequence space.
---
 src/analyzer/protocol/tcp/TCP.cc                  |  11 ++++-------
 .../btest/Baseline/core.tcp.fin-retransmit/out    |   2 ++
 testing/btest/Traces/tcp/fin_retransmission.pcap  | Bin 0 -> 434 bytes
 testing/btest/core/tcp/fin-retransmit.bro         |   8 ++++++++
 4 files changed, 14 insertions(+), 7 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tcp.fin-retransmit/out
 create mode 100644 testing/btest/Traces/tcp/fin_retransmission.pcap
 create mode 100644 testing/btest/core/tcp/fin-retransmit.bro

diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index aefc5a1808..57c4ebef18 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -373,14 +373,11 @@ void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
 void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
 				int& seq_len, uint32 base_seq)
 	{
-	if ( endpoint->FIN_cnt == 0 )
-		{
-		++seq_len;	// FIN consumes a byte of sequence space
-		++endpoint->FIN_cnt;	// remember that we've seen a FIN
-		}
+	++seq_len;  // FIN consumes a byte of sequence space.
+	++endpoint->FIN_cnt;  // remember that we've seen a FIN
 
-	else if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-		  ++endpoint->FIN_cnt == tcp_storm_thresh )
+	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
+	     endpoint->FIN_cnt == tcp_storm_thresh )
 		Weird("FIN_storm");
 
 	// Remember the relative seq in FIN_seq.
diff --git a/testing/btest/Baseline/core.tcp.fin-retransmit/out b/testing/btest/Baseline/core.tcp.fin-retransmit/out
new file mode 100644
index 0000000000..8afb8222c9
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.fin-retransmit/out
@@ -0,0 +1,2 @@
+[size=0, state=5, num_pkts=3, num_bytes_ip=156, flow_label=0]
+[size=0, state=6, num_pkts=2, num_bytes_ip=92, flow_label=0]
diff --git a/testing/btest/Traces/tcp/fin_retransmission.pcap b/testing/btest/Traces/tcp/fin_retransmission.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1e17844af55bcf6ccb65c637d5f4f9f3f1173321
GIT binary patch
literal 434
zcmca|c+)~A1{MYw`2U}Qff2|lH#!zHv5}R*56A}LBZdF0Vh=^guQHL?!@=Onz~Ery
z<-p*;#w*OlC|4@D{Gi<p1IFD=(TCoGOxnQo|No%?1_mY;)-8<8%q)zI99*8C1hheN
zEKCs789#C|I05+}jA6RT8-I}L!IIcaZ(#iYpOFpdPOzzhE+A7u?meKv1ve4mQi!==
z_nNedJ21Rp6AA>m6=W*o?i&Wthj-opy7^s$ko-S+Td;crAns*h0-5Mz$i-j-G#!L7
z+^EsH59G$J+tA$zH1%eHpaX;bGLXwa0A$v$i+pgiFkGjR&jxaxMjo2$ZuY$_{20KZ
Mz_~;MViE%b0C*yJumAu6

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tcp/fin-retransmit.bro b/testing/btest/core/tcp/fin-retransmit.bro
new file mode 100644
index 0000000000..42bf062f5a
--- /dev/null
+++ b/testing/btest/core/tcp/fin-retransmit.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -b -r $TRACES/tcp/fin_retransmission.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event connection_state_remove(c: connection)
+    {
+    print c$orig;
+    print c$resp;
+    }

From 9b12967d40b2624cec097732fd8e0b0efaae4612 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 24 Jan 2014 16:21:02 -0600
Subject: [PATCH 005/220] Improve gap reporting in TCP connections that never
 see data.

The previous behavior was to accomodate SYN/FIN/RST-filtered traces by
not reporting missing data (via the content_gap event) for such
connections.  The new behavior always reports gaps for connections that
are established and terminate normally, but sequence numbers indicate
that all data packets of the connection were missed.  The behavior can
be reverted by redef'ing "detect_filtered_trace".
---
 scripts/base/init-bare.bro                       |   6 ++++++
 src/analyzer/protocol/tcp/TCP_Reassembler.cc     |   2 +-
 src/const.bif                                    |   1 +
 .../Baseline/core.tcp.miss-end-data/conn.log     |  10 ++++++++++
 .../btest/Baseline/core.tcp.miss-end-data/out    |   1 +
 testing/btest/Traces/tcp/miss_end_data.pcap      | Bin 0 -> 1216 bytes
 testing/btest/core/tcp/miss-end-data.bro         |  10 ++++++++++
 7 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/core.tcp.miss-end-data/conn.log
 create mode 100644 testing/btest/Baseline/core.tcp.miss-end-data/out
 create mode 100644 testing/btest/Traces/tcp/miss_end_data.pcap
 create mode 100644 testing/btest/core/tcp/miss-end-data.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 8d4899b785..ce8d68d289 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2849,6 +2849,12 @@ global load_sample_freq = 20 &redef;
 ## .. bro:see:: gap_report
 const gap_report_freq = 1.0 sec &redef;
 
+## Whether to attempt to automatically detect SYN/FIN/RST-filtered trace
+## and not report missing segments for such connections.
+## If this is enabled, then missing data at the end of connections may not
+## be reported via :bro:see:`content_gap`.
+const detect_filtered_trace = F &redef;
+
 ## Whether we want :bro:see:`content_gap` and :bro:see:`gap_report` for partial
 ## connections. A connection is partial if it is missing a full handshake. Note
 ## that gap reports for partial connections might not be reliable.
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index a1e20dc0e6..49292a04a5 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -178,7 +178,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// to this method and only if this condition is not true).
 		reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
 
-	if ( last_reassem_seq == 1 &&
+	if ( BifConst::detect_filtered_trace && last_reassem_seq == 1 &&
 	     (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
 	      peer->FIN_cnt > 0 || peer->RST_cnt > 0) )
 		{
diff --git a/src/const.bif b/src/const.bif
index fd0419c7d9..0ba168ca85 100644
--- a/src/const.bif
+++ b/src/const.bif
@@ -5,6 +5,7 @@
 const ignore_keep_alive_rexmit: bool;
 const skip_http_data: bool;
 const use_conn_size_analyzer: bool;
+const detect_filtered_trace: bool;
 const report_gaps_for_partial: bool;
 const exit_only_after_terminate: bool;
 
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
new file mode 100644
index 0000000000..723e5becc3
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-01-24-22-19-38
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1331764471.664131	CXWv6p3arKYeMETxOg	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	2902	ShADafF	5	750	4	172	(empty)
+#close	2014-01-24-22-19-38
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/out b/testing/btest/Baseline/core.tcp.miss-end-data/out
new file mode 100644
index 0000000000..cd5881035f
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/out
@@ -0,0 +1 @@
+content_gap, [orig_h=192.168.122.230, orig_p=60648/tcp, resp_h=77.238.160.184, resp_p=80/tcp], F, 1, 2902
diff --git a/testing/btest/Traces/tcp/miss_end_data.pcap b/testing/btest/Traces/tcp/miss_end_data.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ae5aecbaac78f2ebd7243f373f1142c690fbda0e
GIT binary patch
literal 1216
zcmaLXOH30%7y#huf<_xl025+-gpHA=KzFxG>24pXDMemE+6HR$V4}<JY`b*3yY8db
zdg0{31CIk2y~xe8@!-+KgI5n+!2^lmKs;z7coAoIfl4tnoo2c-^UXhh|LMl3ck2Xb
z2S=}i0|0#J%ieV%KYG&-vZ#;SpB|3r{S11zTJh2aFb2S|_&5U=&sXV>ZyVoczQ6gf
zy8{Z_!SOvTEfORMyaa$~Klk3()<*bz?F1Ho@=ejRJl7Ke$N=vA)n%+<6%=-Nrq^D?
zk-ERw-Sg$n#-WHbq+Z10dfX2<v?Fe(Vho9r8za{e<33Uoh0aX>!@PIWmD_$$Ab{Ii
z6(TD_tW>W3SGkhupPK|=Vys9q+z=aM<{e3Trii*`F&rO_#fGDaOfJIH3r2~YEEWq4
zOS1w0q;A<sQWnfAPg}NND<UncidZpeQLhI4_bg~qBPFPzNi%vwQB{G7(GfCqU(qD}
zsYT|BBuBF;(yS$UIzqGk<OCEeIx`euBk0YN<BADoz0SC!0sn|7LIYtotlLc4uBu_d
zFwll*XI*3J_{m_s^=Va2JxNFCM0kK1aC`A1h`K9iB}XX1Bq>2kf?)}I6T(oV9Lw#;
zP~YuDk5`RpqAn>~DM^+ZiV;R@WmT}@@%U(2FfE9}oSMs1@pvpjv0=xSskrO#VJ`|k
z;2+gB4T?DSBw2ybpafN^A!ioK(1d1^EZeq`WEiv^{3o#tUa40U6n6GO8ZHbk*zp8k
z9paoya6TOkT4_;Ek+S-zmbP@KY@|q47ZKfX)0B3P+852%>*zx)<Czk)Q5;ZGQ9itJ
zcfGAUW+RP$=YStqsWRKF(o=OG`qhi;{?_xBx=(Ber@9NBpyO2m-N_q5KDT+M(&sA9
zNo94}Rk}dO(r-_RZZ(zGS_dIX#kH=s-0G?B>9y4rd}DH3o-+9LOr`27)X5ujsB|G^
d(^G^WP33f64*w5cx14ANo#-;o%hEmoe*w*=ZlnMJ

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tcp/miss-end-data.bro b/testing/btest/core/tcp/miss-end-data.bro
new file mode 100644
index 0000000000..6cee7577d9
--- /dev/null
+++ b/testing/btest/core/tcp/miss-end-data.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -r $TRACES/tcp/miss_end_data.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff conn.log
+
+redef report_gaps_for_partial = T;
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	print "content_gap", c$id, is_orig, seq, length;
+	}

From 6d46144c3b1453d429848a699767215b61302024 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 24 Jan 2014 16:32:55 -0600
Subject: [PATCH 006/220] Improve TCP connection size reporting for half-open
 connections.

If TCP endpoint A and B are synchronized at some point, but A
closes/aborts/crashes and B goes on without knowledge of it and then A
tries to re-synchronize, Bro could end up seeing something like
(sequence numbers made up):

A: SYN 100
B: ACK 500
A: RST 500

The final sequence number of A, in this case, is not useful in the
context of determining the number of data bytes sent by A, so Bro now
reports that as 0 (where before it could often be misleadingly large).
---
 src/analyzer/protocol/tcp/TCP_Endpoint.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index d596234021..ad642a46e3 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -161,6 +161,13 @@ void TCP_Endpoint::SetState(EndpointState new_state)
 
 bro_int_t TCP_Endpoint::Size() const
 	{
+	if ( prev_state == TCP_ENDPOINT_SYN_SENT && state == TCP_ENDPOINT_RESET &&
+	     peer->state == TCP_ENDPOINT_INACTIVE && ! NoDataAcked() )
+		// This looks like a half-open connection was discovered and aborted.
+		// Sequence numbers could be misleading if used in context of data size
+		// and there was never a chance for this endpoint to send data anyway.
+		return 0;
+
 	bro_int_t size;
 
 	uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;

From e09763e0613ea6ea8134d11957e419e3061b5db0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 24 Jan 2014 16:47:00 -0600
Subject: [PATCH 007/220] Fix file_over_new_connection event to trigger when
 entire file is missed.

If a file is nothing but gaps (e.g. due to missing/dropped packets), Bro
can sometimes detect a file is supposed to have been present and never
saw any of its content, but failed to raise file_over_new_connection
events for it.  This was mostly apparent because the tx_hosts/rx_hosts
fields in files.log would not be populated in such cases (but are now
with this change).
---
 src/file_analysis/File.cc | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 55b28763c8..deda0f9e93 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -103,7 +103,6 @@ File::~File()
 	DBG_LOG(DBG_FILE_ANALYSIS, "Destroying File object %s", id.c_str());
 	Unref(val);
 
-	// Queue may not be empty in the case where only content gaps were seen.
 	while ( ! fonc_queue.empty() )
 		{
 		delete_vals(fonc_queue.front().second);
@@ -460,20 +459,27 @@ void File::FileEvent(EventHandlerPtr h)
 	FileEvent(h, vl);
 	}
 
+static void flush_file_event_queue(queue<pair<EventHandlerPtr, val_list*> >& q)
+	{
+	while ( ! q.empty() )
+		{
+		pair<EventHandlerPtr, val_list*> p = q.front();
+		mgr.QueueEvent(p.first, p.second);
+		q.pop();
+		}
+	}
+
 void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	{
+	if ( h == file_state_remove )
+		flush_file_event_queue(fonc_queue);
+
 	mgr.QueueEvent(h, vl);
 
 	if ( h == file_new )
 		{
 		did_file_new_event = true;
-
-		while ( ! fonc_queue.empty() )
-			{
-			pair<EventHandlerPtr, val_list*> p = fonc_queue.front();
-			mgr.QueueEvent(p.first, p.second);
-			fonc_queue.pop();
-			}
+		flush_file_event_queue(fonc_queue);
 		}
 
 	if ( h == file_new || h == file_timeout || h == file_extraction_limit )

From 56acd99d15e2e64182a685afa84efe7741213b8c Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 24 Jan 2014 21:00:55 -0500
Subject: [PATCH 008/220] Fix misidentification of SOCKS traffic. Traffic that
 had a certain bytestring would get incorrectly identified as SOCKS. This
 seemed to happen a lot with DCE/RPC traffic.

---
 src/analyzer/protocol/socks/socks-analyzer.pac | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index 885542fc2a..b7cbaaceac 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -64,6 +64,12 @@ refine connection SOCKS_Conn += {
 			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
 			return false;
 			}
+		if ( ( ${request.command} == 0 ) || ( ${request.command} > 3 ) )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("invalid value in reserved field: %d", ${request.reserved}));
+			bro_analyzer()->SetSkip(true);
+			return false;
+			}
 
 		RecordVal* sa = new RecordVal(socks_address);
 
@@ -105,7 +111,7 @@ refine connection SOCKS_Conn += {
 	function socks5_reply(reply: SOCKS5_Reply): bool
 		%{
 		RecordVal* sa = new RecordVal(socks_address);
-
+		
 		// This is dumb and there must be a better way (checking for presence of a field)...
 		switch ( ${reply.bound.addr_type} )
 			{

From 6d73b8c57e5bd74a0e7b880d2e547cd6da3649b9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 27 Jan 2014 10:22:06 -0800
Subject: [PATCH 009/220] Fix x509_extension event.

The event now really returns the extension. If openssl supports printing
it, it is converted into the openssl ascii output.

The output does not always look pretty because it can contain newlines.

New event syntax:
event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info)

Example output for extension:
  [name=X509v3 Extended Key Usage,
    short_name=extendedKeyUsage,
    oid=2.5.29.37,
    critical=F,
    value=TLS Web Server Authentication, TLS Web Client Authentication]
  [name=X509v3 Certificate Policies,
   short_name=certificatePolicies,
   oid=2.5.29.32,
   critical=F,
   value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J  CPS: https://secure.comodo.com/CPS^J]
---
 scripts/base/init-bare.bro                    | 12 ++++
 src/NetVar.cc                                 |  2 +
 src/NetVar.h                                  |  1 +
 src/analyzer/protocol/ssl/events.bif          |  6 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    | 61 +++++++++++++------
 .../.stdout                                   | 20 ++++++
 .../base/protocols/ssl/x509_extensions.test   |  7 +++
 7 files changed, 90 insertions(+), 19 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/ssl/x509_extensions.test

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 8d4899b785..7f80e63f54 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2432,6 +2432,18 @@ type X509: record {
 	not_valid_after: time;	##< Timestamp after when certificate is not valid.
 };
 
+## An X509 extension.
+##
+##
+## .. bro:see:: x509_extension
+type X509_extension_info: record {
+	name: string; ##< long name of extension. oid if name not known
+	short_name: string &optional; ##< short name of extension if known.
+	oid: string; ##< oid of extension
+	critical: bool; ##< true if extension is critical
+	value: string; ##< extension content parsed to string for known extensions. Raw data otherwise.
+};
+
 ## HTTP session statistics.
 ##
 ## .. bro:see:: http_stats
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 79652112f3..05a4e16b47 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -48,6 +48,7 @@ int tcp_max_above_hole_without_any_acks;
 int tcp_excessive_data_without_further_acks;
 
 RecordType* x509_type;
+RecordType* x509_extension_type;
 
 RecordType* socks_address;
 
@@ -356,6 +357,7 @@ void init_net_var()
 		opt_internal_int("tcp_excessive_data_without_further_acks");
 
 	x509_type = internal_type("X509")->AsRecordType();
+	x509_extension_type = internal_type("X509_extension_info")->AsRecordType();
 
 	socks_address = internal_type("SOCKS::Address")->AsRecordType();
 
diff --git a/src/NetVar.h b/src/NetVar.h
index 12949c0e55..8ef6571313 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -51,6 +51,7 @@ extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 
 extern RecordType* x509_type;
+extern RecordType* x509_extension_type;
 
 extern RecordType* socks_address;
 
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 01abb87745..7319d2ce3e 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -178,11 +178,13 @@ event x509_certificate%(c: connection, is_orig: bool, cert: X509, chain_idx: cou
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## data: The raw data associated with the extension.
+## cert: The parsed certificate.
+##
+## extension: The parsed extension.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_server_hello x509_certificate x509_error  x509_verify
-event x509_extension%(c: connection, is_orig: bool, data: string%);
+event x509_extension%(c: connection, is_orig: bool, cert: X509, extension: X509_extension_info%);
 
 ## Generated when errors occur during parsing an X509 certificate.
 ##
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 18d3812742..0156671ce8 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -9,6 +9,7 @@
 #include "util.h"
 
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/asn1.h>
 %}
 
@@ -298,25 +299,51 @@ refine connection SSL_Conn += {
 					int num_ext = X509_get_ext_count(pTemp);
 					for ( int k = 0; k < num_ext; ++k )
 						{
-						unsigned char *pBuffer = 0;
-						int length = 0;
+						char name[256];
+						char oid[256];
+
+						memset(name, 0, 256);
+						memset(oid, 0, 256);
 
 						X509_EXTENSION* ex = X509_get_ext(pTemp, k);
-						if (ex)
-							{
-							ASN1_STRING *pString = X509_EXTENSION_get_data(ex);
-							length = ASN1_STRING_to_UTF8(&pBuffer, pString);
-							//i2t_ASN1_OBJECT(&pBuffer, length, obj)
-							// printf("extension length: %d\n", length);
-							// -1 indicates an error.
-							if ( length >= 0 )
-								{
-								StringVal* value = new StringVal(length, (char*)pBuffer);
-								BifEvent::generate_x509_extension(bro_analyzer(),
-											bro_analyzer()->Conn(), ${rec.is_orig}, value);
-								}
-							OPENSSL_free(pBuffer);
-							}
+						
+						if ( !ex ) 
+							continue;
+
+						ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+						const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+						OBJ_obj2txt(name, 255, ext_asn, 0);
+						OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+						int critical = 0;
+						if ( X509_EXTENSION_get_critical(ex) != 0 )
+							critical = 1;
+
+						BIO *bio = BIO_new(BIO_s_mem());
+						if(!X509V3_EXT_print(bio, ex, 0, 0))
+							M_ASN1_OCTET_STRING_print(bio,ex->value);
+
+						BIO_flush(bio);
+						int length = BIO_pending(bio);
+						// use OPENSSL_malloc here. Using new or anything else can lead
+						// to interesting, hard to debug segfaults.
+						char *buffer = (char*) OPENSSL_malloc(length); 
+						BIO_read(bio, buffer, length);
+						StringVal* ext_val = new StringVal(length, buffer);
+						BIO_free_all(bio);
+						OPENSSL_free(buffer);
+
+						RecordVal* pX509Ext = new RecordVal(x509_extension_type);						
+						pX509Ext->Assign(0, new StringVal(name));
+						if ( short_name and strlen(short_name) > 0 ) 
+							pX509Ext->Assign(1, new StringVal(short_name));
+						pX509Ext->Assign(2, new StringVal(oid));
+						pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+						pX509Ext->Assign(4, ext_val);
+
+						BifEvent::generate_x509_extension(bro_analyzer(),
+									bro_analyzer()->Conn(), ${rec.is_orig}, pX509Cert->Ref(), pX509Ext);
 						}
 					}
 				X509_free(pTemp);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
new file mode 100644
index 0000000000..3f9c8661bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
@@ -0,0 +1,20 @@
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B^J]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=A2:76:09:20:A8:40:FD:A1:AC:C8:E9:35:B9:11:A6:61:FF:8C:FF:A3]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
+[name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
+[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J  CPS: https://secure.comodo.com/CPS^J]
+[name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl^J]
+[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt^JOCSP - URI:http://ocsp.comodoca.com^J]
+[name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.taleo.net, DNS:taleo.net]
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A^J]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
+[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: X509v3 Any Policy^J]
+[name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl^J]
+[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c^JCA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt^JOCSP - URI:http://ocsp.usertrust.com^J]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE]
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A^JDirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root^Jserial:01^J]
diff --git a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
new file mode 100644
index 0000000000..4db3233b27
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) 
+{
+	print extension;
+}

From af95026348688e0df8c867f67d2a53a3d440cf41 Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Mon, 27 Jan 2014 15:23:24 -0600
Subject: [PATCH 010/220] Minor grammar edits to Installation and Quick Start
 pages

---
 doc/install/install.rst  |  8 ++++----
 doc/quickstart/index.rst | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/doc/install/install.rst b/doc/install/install.rst
index 3678d948c2..7030c95642 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -89,7 +89,7 @@ Optional Dependencies
 Bro can make use of some optional libraries and tools if they are found at
 build time:
 
-    * LibGeoIP (for geo-locating IP addresses)
+    * LibGeoIP (for geolocating IP addresses)
     * sendmail (enables Bro and BroControl to send mail)
     * gawk (enables all features of bro-cut)
     * curl (used by a Bro script that implements active HTTP)
@@ -137,11 +137,11 @@ The primary install prefix for binary packages is ``/opt/bro``.
 Non-MacOS packages that include BroControl also put variable/runtime
 data (e.g. Bro logs) in ``/var/opt/bro``.
 
-Installing From Source
+Installing from Source
 ==========================
 
-Bro releases are bundled into source packages for convenience and
-available from the `bro downloads page`_. Alternatively, the latest
+Bro releases are bundled into source packages for convenience and are
+available on the `bro downloads page`_. Alternatively, the latest
 Bro development version can be obtained through git repositories
 hosted at ``git.bro.org``.  See our `git development documentation
 <http://bro.org/development/process.html>`_ for comprehensive
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index 49a909a37f..e8ead2cf01 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -155,7 +155,7 @@ changes we want to make:
    attempt looks like it may have been successful, and we want email when
    that happens, but only for certain servers.
 
-So we've defined *what* we want to do, but need to know *where* to do it.
+We've defined *what* we want to do, but need to know *where* to do it.
 The answer is to use a script written in the Bro programming language, so
 let's do a quick intro to Bro scripting.
 
@@ -181,7 +181,7 @@ must explicitly choose if they want to load them.
 
 The main entry point for the default analysis configuration of a standalone
 Bro instance managed by BroControl is the ``$PREFIX/share/bro/site/local.bro``
-script.  So we'll be adding to that in the following sections, but first
+script.  We'll be adding to that in the following sections, but first
 we have to figure out what to add.
 
 Redefining Script Option Variables
@@ -197,7 +197,7 @@ A redefineable constant might seem strange, but what that really means is that
 the variable's value may not change at run-time, but whose initial value can be
 modified via the ``redef`` operator at parse-time.
 
-So let's continue on our path to modify the behavior for the two SSL
+Let's continue on our path to modify the behavior for the two SSL
 and SSH notices.  Looking at :doc:`/scripts/base/frameworks/notice/main.bro`,
 we see that it advertises:
 
@@ -211,7 +211,7 @@ we see that it advertises:
         const ignored_types: set[Notice::Type] = {} &redef;
     }
 
-That's exactly what we want to do for the SSL notice.  So add to ``local.bro``:
+That's exactly what we want to do for the SSL notice.  Add to ``local.bro``:
 
 .. code:: bro
 
@@ -276,9 +276,9 @@ an email on the condition that the predicate function evaluates to true, which
 is whenever the notice type is an SSH login and the responding host stored
 inside the ``Info`` record's connection field is in the set of watched servers.
 
-.. note:: record field member access is done with the '$' character
+.. note:: Record field member access is done with the '$' character
    instead of a '.' as might be expected from other languages, in
-   order to avoid ambiguity with the builtin address type's use of '.'
+   order to avoid ambiguity with the built-in address type's use of '.'
    in IPv4 dotted decimal representations.
 
 Remember, to finalize that configuration change perform the ``check``,

From 2c7e7f962ea847259a95f04f3360775149d72702 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Oct 2013 12:50:47 -0700
Subject: [PATCH 011/220] Make x509 certificates an opaque type

---
 src/SerialTypes.h                             |   1 +
 src/Type.h                                    |   1 +
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  16 ---
 src/analyzer/protocol/ssl/ssl-protocol.pac    | 100 ------------------
 .../analyzer/x509/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/x509/Plugin.cc     |   1 +
 src/file_analysis/analyzer/x509/X509.cc       |  64 +++++++++++
 src/file_analysis/analyzer/x509/X509.h        |  44 ++++++++
 src/main.cc                                   |   2 +
 9 files changed, 114 insertions(+), 117 deletions(-)

diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index 69927afb74..81ccbc030e 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -111,6 +111,7 @@ SERIAL_VAL(ENTROPY_VAL, 19)
 SERIAL_VAL(TOPK_VAL, 20)
 SERIAL_VAL(BLOOMFILTER_VAL, 21)
 SERIAL_VAL(CARDINALITY_VAL, 22)
+SERIAL_VAL(X509_VAL, 23)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
diff --git a/src/Type.h b/src/Type.h
index a6163d5152..b880eac131 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -616,6 +616,7 @@ extern OpaqueType* entropy_type;
 extern OpaqueType* cardinality_type;
 extern OpaqueType* topk_type;
 extern OpaqueType* bloomfilter_type;
+extern OpaqueType* x509_opaque_type;
 
 // Returns the BRO basic (non-parameterized) type with the given type.
 extern BroType* base_type(TypeTag tag);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 4bf1e27d64..f9de1a12a8 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -22,8 +22,6 @@
 	};
 
 	string orig_label(bool is_orig);
-	void free_X509(void *);
-	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
 	string handshake_type_label(int type);
 	%}
 
@@ -33,20 +31,6 @@ string orig_label(bool is_orig)
 		return string(is_orig ? "originator" :"responder");
 		}
 
-	void free_X509(void* cert)
-		{
-		X509_free((X509*) cert);
-		}
-
-	X509* d2i_X509_binpac(X509** px, const uint8** in, int len)
-		{
-#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
-		return d2i_X509(px, in, len);
-#else
-		return d2i_X509(px, (u_char**) in, len);
-#endif
-		}
-
 	string handshake_type_label(int type)
 		{
 		switch ( type ) {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index b35d07f18b..4f24251a5c 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -22,7 +22,6 @@ type uint24 = record {
 	};
 
 	string state_label(int state_nr);
-	double get_time_from_asn1(const ASN1_TIME * atime);
 %}
 
 extern type to_int;
@@ -146,105 +145,6 @@ enum AnalyzerState {
 			return string(fmt("UNKNOWN (%d)", state_nr));
 		}
 		}
-
-
-	double get_time_from_asn1(const ASN1_TIME * atime)
-		{
-		time_t lResult = 0;
-
-		char lBuffer[24];
-		char * pBuffer = lBuffer;
-
-		size_t lTimeLength = atime->length;
-		char * pString = (char *) atime->data;
-
-		if ( atime->type == V_ASN1_UTCTIME )
-			{
-			if ( lTimeLength < 11 || lTimeLength > 17 )
-				return 0;
-
-			memcpy(pBuffer, pString, 10);
-			pBuffer += 10;
-			pString += 10;
-			}
-		else
-			{
-			if ( lTimeLength < 13 )
-				return 0;
-
-			memcpy(pBuffer, pString, 12);
-			pBuffer += 12;
-			pString += 12;
-			}
-
-		if ((*pString == 'Z') || (*pString == '-') || (*pString == '+'))
-			{
-			*(pBuffer++) = '0';
-			*(pBuffer++) = '0';
-			}
-		else
-			{
-			*(pBuffer++) = *(pString++);
-			*(pBuffer++) = *(pString++);
-
-			// Skip any fractional seconds...
-			if (*pString == '.')
-				{
-				pString++;
-				while ((*pString >= '0') && (*pString <= '9'))
-					pString++;
-				}
-			}
-
-		*(pBuffer++) = 'Z';
-		*(pBuffer++) = '\0';
-
-		time_t lSecondsFromUTC;
-
-		if ( *pString == 'Z' )
-			lSecondsFromUTC = 0;
-
-		else
-			{
-			if ((*pString != '+') && (pString[5] != '-'))
-				return 0;
-
-			lSecondsFromUTC = ((pString[1]-'0') * 10 + (pString[2]-'0')) * 60;
-			lSecondsFromUTC += (pString[3]-'0') * 10 + (pString[4]-'0');
-
-			if (*pString == '-')
-				lSecondsFromUTC = -lSecondsFromUTC;
-			}
-
-		tm lTime;
-		lTime.tm_sec  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-		lTime.tm_min  = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-		lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-		lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
-		lTime.tm_mon  = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
-		lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
-
-		if ( lTime.tm_year < 50 )
-			lTime.tm_year += 100; // RFC 2459
-
-		lTime.tm_wday = 0;
-		lTime.tm_yday = 0;
-		lTime.tm_isdst = 0;  // No DST adjustment requested
-
-		lResult = mktime(&lTime);
-
-		if ( lResult )
-			{
-			if ( 0 != lTime.tm_isdst )
-				lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
-
-			lResult += lSecondsFromUTC;
-			}
-		else
-			lResult = 0;
-
-		return lResult;
-	}
 %}
 
 ######################################################################
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index 759a01b55c..b07ef278f7 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
 
 bro_plugin_begin(Bro X509)
 bro_plugin_cc(X509.cc Plugin.cc ../../Analyzer.cc)
-bro_plugin_bif(events.bif types.bif)
+bro_plugin_bif(events.bif types.bif functions.bif)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index 1e76e3fdb7..5b0e5779c5 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -7,4 +7,5 @@ BRO_PLUGIN_BEGIN(Bro, X509)
 	BRO_PLUGIN_FILE_ANALYZER("X509", X509);
 	BRO_PLUGIN_BIF_FILE(events);
 	BRO_PLUGIN_BIF_FILE(types);	
+	BRO_PLUGIN_BIF_FILE(functions);
 BRO_PLUGIN_END
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 3d7871be9a..59ab644634 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -17,6 +17,8 @@
 
 using namespace file_analysis;
 
+IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
+
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
     : file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
 	{
@@ -444,3 +446,65 @@ double file_analysis::X509::get_time_from_asn1(const ASN1_TIME * atime)
 	return lResult;
 }
 
+X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
+	{
+	certificate = arg_certificate;
+	}
+
+X509Val::X509Val() : OpaqueVal(x509_opaque_type)
+	{
+	certificate = 0;
+	}
+
+X509Val::~X509Val()
+	{
+	if ( certificate )
+		X509_free(certificate);
+	}
+
+::X509* X509Val::GetCertificate() const
+	{
+	return certificate;
+	}
+
+bool X509Val::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_X509_VAL, X509Val);
+
+	unsigned char *buf = NULL;
+
+	int length = i2d_X509(certificate, &buf);
+
+	if ( length < 0 ) 
+		return false;
+
+	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
+
+	OPENSSL_free(buf);
+	return res;
+	}
+
+bool X509Val::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal)
+
+	int length;
+	unsigned char *certbuf, *opensslbuf;
+
+	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&certbuf), &length) )
+		return false;
+
+	opensslbuf = certbuf; // OpenSSL likes to shift pointers around. really.
+	certificate = d2i_X509(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
+	delete[] certbuf;
+
+	if ( !certificate ) 
+		return false;
+
+	return true;
+	}
+
+
+
+
+
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index cc0131afac..80bb68209e 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -39,6 +39,50 @@ private:
 	std::string cert_data;
 };
 
+/**
+ * This class wraps an OpenSSL X509 data structure. 
+ *
+ * We need these to be able to pass OpenSSL pointers around in Bro
+ * script-land. Otherwise, we cannot verify certificates from Bro 
+ * scriptland
+ */
+class X509Val : public OpaqueVal {
+public:
+	/**
+	 * Construct an X509Val.
+	 *
+	 * @param certificate specifies the wrapped OpenSSL certificate
+	 *
+	 * @return A newly initialized X509Val
+	 */
+	X509Val(::X509* certificate);
+
+	/**
+	 * Destructor.
+	 */
+	~X509Val();
+
+	/**
+	 * Get the wrapped X509 certificate. Please take care, that the
+	 * internal OpenSSL reference counting stays the same.
+	 *
+	 * @return The wrapped OpenSSL X509 certificate
+	 */
+	::X509* GetCertificate() const;
+
+protected:
+	/**
+	 * Construct an empty X509Val. Only used for deserialization
+	 */
+	X509Val();
+
+private:
+	::X509* certificate; // the wrapped certificate
+
+	DECLARE_SERIAL(X509Val);
+};
+
 }
 
+
 #endif
diff --git a/src/main.cc b/src/main.cc
index 313e1a40b0..ffa7a85f29 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -131,6 +131,7 @@ OpaqueType* entropy_type = 0;
 OpaqueType* cardinality_type = 0;
 OpaqueType* topk_type = 0;
 OpaqueType* bloomfilter_type = 0;
+OpaqueType* x509_opaque_type = 0;
 
 extern std::list<BroDoc*> docs_generated;
 
@@ -860,6 +861,7 @@ int main(int argc, char** argv)
 	cardinality_type = new OpaqueType("cardinality");
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
+	x509_opaque_type = new OpaqueType("x509");
 
 	// The leak-checker tends to produce some false
 	// positives (memory which had already been

From 0e0e74e49c01ab867d430d21c149bdf27915b0c3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 28 Jan 2014 11:04:01 -0600
Subject: [PATCH 012/220] Improve DNS analysis.

- Fix parsing of empty question sections (when QDCOUNT == 0).  In this
  case, the DNS parser would extract two 2-byte fields for use in either
  "dns_query_reply" or "dns_rejected" events (dependent on value of
  RCODE) as qclass and qtype parameters.  This is not correct, because
  such fields don't actually exist in the DNS message format when
  QDCOUNT is 0.  As a result, these events are no longer raised when
  there's an empty question section.  Scripts that depends on checking
  for an empty question section can do that in the "dns_message" event.

- Add a new "dns_unknown_reply" event, for when Bro does not know how
  to fully parse a particular resource record type.  This helps fix a
  problem in the default DNS scripts where the logic to complete
  request-reply pair matching doesn't work because it's waiting on more
  RR events to complete the reply.  i.e. it expects ANCOUNT number of
  dns_*_reply events and will wait until it gets that many before
  completing a request-reply pair and logging it to dns.log.  This could
  cause bogus replies to match a previous request if they happen to
  share a DNS transaction ID.
---
 scripts/base/protocols/dns/main.bro           | 27 +++++++++++++++----
 src/analyzer/protocol/dns/DNS.cc              | 22 +++++++--------
 src/analyzer/protocol/dns/events.bif          | 20 ++++++++++++--
 .../btest-doc.sphinx.using_bro#1              |  4 +--
 .../conn.select                               |  4 +--
 .../dns.log                                   |  6 ++---
 .../dns.log                                   |  8 +++---
 7 files changed, 61 insertions(+), 30 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 0d23029ad7..f3f19d488c 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -158,12 +158,17 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 	# If this is either a query or this is the reply but
 	# no Info records are in the queue (we missed the query?)
 	# we need to create an Info record and put it in the queue.  
-	if ( is_query ||
-	     Queue::len(c$dns_state$pending[msg$id]) == 0 )
+	if ( is_query )
 		{
 		info = new_session(c, msg$id);
 		Queue::put(c$dns_state$pending[msg$id], info);
 		}
+	else if ( Queue::len(c$dns_state$pending[msg$id]) == 0 )
+		{
+		info = new_session(c, msg$id);
+		Queue::put(c$dns_state$pending[msg$id], info);
+		event conn_weird("dns_unmatched_reply", c, "");
+		}
 
 	if ( is_query )
 		# If this is a query, assign the newly created info variable
@@ -202,17 +207,23 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
 	{
 	hook set_session(c, msg, is_orig);
+
+	if ( msg$QR && msg$rcode != 0 && msg$num_queries == 0 )
+		c$dns$rejected = T;
 	}
 
 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
 	{
+	if ( ! msg$QR )
+		# This is weird: the inquirer must also be providing answers in
+		# the request, which is not what we want to track.
+		return;
+
 	if ( ans$answer_type == DNS_ANS )
 		{
 		if ( ! c?$dns )
-			{
-			event conn_weird("dns_unmatched_reply", c, "");
 			hook set_session(c, msg, F);
-			}
+
 		c$dns$AA    = msg$AA;
 		c$dns$RA    = msg$RA;
 
@@ -265,6 +276,12 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
 	c$dns$query = query;
 	}
 
+
+event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
+	{
+	event DNS::do_reply(c, msg, ans, fmt("<unknown type=%s>", ans$qtype));
+	}
+
 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
 	event DNS::do_reply(c, msg, ans, fmt("%s", a));
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 806cb9ae75..b17a90dd61 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -137,18 +137,6 @@ int DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg,
 	{
 	int n = msg->qdcount;
 
-	if ( n == 0 )
-		{
-		// Generate event here because we won't go into ParseQuestion.
-		EventHandlerPtr dns_event =
-			msg->rcode == DNS_CODE_OK ?
-				dns_query_reply : dns_rejected;
-		BroString* question_name = new BroString("<no query>");
-
-		SendReplyOrRejectEvent(msg, dns_event, data, len, question_name);
-		return 1;
-		}
-
 	while ( n > 0 && ParseQuestion(msg, data, len, msg_start) )
 		--n;
 	return n == 0;
@@ -299,6 +287,16 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			break;
 
 		default:
+
+			if ( dns_unknown_reply && ! msg->skip_event )
+				{
+				val_list* vl = new val_list;
+				vl->append(analyzer->BuildConnVal());
+				vl->append(msg->BuildHdrVal());
+				vl->append(msg->BuildAnswerVal());
+				analyzer->ConnectionEvent(dns_unknown_reply, vl);
+				}
+
 			analyzer->Weird("DNS_RR_unknown_type");
 			data += rdlength;
 			len -= rdlength;
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 95c604a8b8..b43ac95f66 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -50,7 +50,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
 
 ## Generated for DNS replies that reject a query. This event is raised if a DNS
-## reply either indicates failure via its status code or does not pass on any
+## reply indicates failure because it does not pass on any
 ## answers to a query. Note that all of the event's parameters are parsed out of
 ## the reply; there's no stateful correlation with the query.
 ##
@@ -78,7 +78,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
 
-## Generated for DNS replies with an *ok* status code but no question section.
+## Generated for each entry in the Question section of a DNS reply.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
 ## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
@@ -401,6 +401,22 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%)
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
+## Generated on DNS reply resource records when the type of record is not one
+## that Bro knows how to parse and generate another more specific specific
+## event.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
+event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+
 ## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
 ##
diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
index 65c802ccf2..53bcb5581d 100644
--- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
+++ b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
@@ -20,8 +20,8 @@
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
       #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
       1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
-      1300475167.097012	CjhGID4nQcgTWjvg4c	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	0	D	1	199	0	0	(empty)
-      1300475167.099816	CCvvfg3TEfuqmmG4bh	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	0	D	1	179	0	0	(empty)
+      1300475167.097012	CjhGID4nQcgTWjvg4c	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	0	D	1	199	0	0	(empty)
+      1300475167.099816	CCvvfg3TEfuqmmG4bh	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	179	0	0	(empty)
       1300475168.853899	CPbrpk1qSsw6ESzHV4	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
       1300475168.854378	C6pKV8GSxOnSLghOa	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
       1300475168.854837	CIPOse170MGiRM1Qf4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
index bdae1a8f73..8653fd1edb 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
@@ -1,6 +1,6 @@
 1300475167.09653|CXWv6p3arKYeMETxOg|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|73|0|0|(empty)
-1300475167.09701|CjhGID4nQcgTWjvg4c|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|||||S0||0|D|1|199|0|0|(empty)
-1300475167.09982|CCvvfg3TEfuqmmG4bh|141.142.220.50|5353|224.0.0.251|5353|udp|||||S0||0|D|1|179|0|0|(empty)
+1300475167.09701|CjhGID4nQcgTWjvg4c|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0||0|D|1|199|0|0|(empty)
+1300475167.09982|CCvvfg3TEfuqmmG4bh|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0||0|D|1|179|0|0|(empty)
 1300475168.652|CsRx2w45OKnoww6xl4|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH||0|DdA|2|567|1|402|(empty)
 1300475168.72401|CRJuHdVW0XPVINV8a|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1||0|ShADad|4|741|3|396|(empty)
 1300475168.8539|CPbrpk1qSsw6ESzHV4|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF||0|Dd|1|66|1|117|(empty)
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
index 35289b82dd..76e83452e5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-04-08
+#open	2014-01-28-14-55-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1359565680.761790	CXWv6p3arKYeMETxOg	192.168.6.10	53209	192.168.129.36	53	udp	41477	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	F	1	-	-	F
-#close	2013-08-26-19-04-08
+1359565680.761790	CXWv6p3arKYeMETxOg	192.168.6.10	53209	192.168.129.36	53	udp	41477	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	<unknown type=48>,<unknown type=48>,<unknown type=46>,<unknown type=46>	455.000000,455.000000,455.000000,455.000000	F
+#close	2014-01-28-14-55-04
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
index 6af017fa49..6e2a0a4699 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-04-08
+#open	2014-01-28-14-58-56
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1363716396.798072	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163,www-cmu.andrew.cmu.edu	86400.000000,5.000000,21600.000000,86400.000000	F
-1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu-2.andrew.cmu.edu,128.2.10.163	5.000000,21600.000000	F
-#close	2013-08-26-19-04-08
+1363716396.798072	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+#close	2014-01-28-14-58-56

From 31866f8f59ba9f9ec31543d4983f06152ec98bda Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 28 Jan 2014 13:56:22 -0600
Subject: [PATCH 013/220] Change dns.log to include only standard DNS queries.

The scope of dns.log is now only standard queries (OPCODE == 0).  Other
kinds of queries (e.g. inverse query) were not handled correctly and
could interfere with the state tracking of the default DNS scripts.
---
 doc/scripting/connection_record_02.bro         |   2 +-
 doc/scripting/index.rst                        |  14 +++++++-------
 scripts/base/protocols/dns/main.bro            |  17 +++++++++++++++--
 scripts/policy/protocols/dns/auth-addl.bro     |   4 ++++
 .../btest-doc.sphinx.connection-record-01#1    |   6 +++---
 .../btest-doc.sphinx.connection-record-02#1    |  14 ++++++--------
 .../output                                     |   2 +-
 .../dns.log                                    |  10 ----------
 ...s-session.trace => dns-inverse-query.trace} | Bin
 .../doc/sphinx/connection-record-01.btest      |   2 +-
 .../doc/sphinx/connection-record-02.btest      |   2 +-
 ...oc_scripting_connection_record_02_bro.btest |   2 +-
 .../policy/protocols/dns/event-priority.bro    |   4 ----
 .../policy/protocols/dns/inverse-request.bro   |   4 ++++
 14 files changed, 44 insertions(+), 39 deletions(-)
 delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
 rename testing/btest/Traces/{dns-session.trace => dns-inverse-query.trace} (100%)
 delete mode 100644 testing/btest/scripts/policy/protocols/dns/event-priority.bro
 create mode 100644 testing/btest/scripts/policy/protocols/dns/inverse-request.bro

diff --git a/doc/scripting/connection_record_02.bro b/doc/scripting/connection_record_02.bro
index 4459e47ef6..e4770069a9 100644
--- a/doc/scripting/connection_record_02.bro
+++ b/doc/scripting/connection_record_02.bro
@@ -1,5 +1,5 @@
 @load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http
 
 event connection_state_remove(c: connection)
     {
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index e42aa55e2c..66ebce86af 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -232,7 +232,7 @@ overly populated.
 
 .. btest:: connection-record-01
 
-    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_01.bro
+    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro
 
 As you can see from the output, the connection record is something of
 a jumble when printed on its own.  Regularly taking a peek at a
@@ -248,9 +248,9 @@ originating host is referenced by ``c$id$orig_h`` which if given a
 narrative relates to ``orig_h`` which is a member of ``id`` which is
 a member of the data structure referred to as ``c`` that was passed
 into the event handler." Given that the responder port
-(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base DNS scripts
+(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base HTTP scripts
 can further populate the connection record.  Let's load the
-``base/protocols/dns`` scripts and check the output of our script. 
+``base/protocols/http`` scripts and check the output of our script. 
 
 Bro uses the dollar sign as its field delimiter and a direct
 correlation exists between the output of the connection record and the
@@ -262,16 +262,16 @@ brackets, which would correspond to the ``$``-delimiter in a Bro script.
 
 .. btest:: connection-record-02
 
-    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_02.bro
+    @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro
 
-The addition of the ``base/protocols/dns`` scripts populates the
-``dns=[]`` member of the connection record.  While Bro is doing a
+The addition of the ``base/protocols/http`` scripts populates the
+``http=[]`` member of the connection record.  While Bro is doing a
 massive amount of work in the background, it is in what is commonly
 called "scriptland" that details are being refined and decisions
 being made. Were we to continue running in "bare mode" we could slowly
 keep adding infrastructure through ``@load`` statements.  For example,
 were we to ``@load base/frameworks/logging``, Bro would generate a
-``conn.log`` and ``dns.log`` for us in the current working directory.
+``conn.log`` and ``http.log`` for us in the current working directory.
 As mentioned above, including the appropriate ``@load`` statements is
 not only good practice, but can also help to indicate which
 functionalities are being used in a script.  Take a second to run the
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index f3f19d488c..0651e23ada 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -206,6 +206,10 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 
 event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	hook set_session(c, msg, is_orig);
 
 	if ( msg$QR && msg$rcode != 0 && msg$num_queries == 0 )
@@ -214,6 +218,10 @@ event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &prior
 
 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	if ( ! msg$QR )
 		# This is weird: the inquirer must also be providing answers in
 		# the request, which is not what we want to track.
@@ -249,7 +257,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 
 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=-5
 	{
-	if ( c$dns$ready )
+	if ( c?$dns && c$dns$ready )
 		{
 		Log::write(DNS::LOG, c$dns);
 		# This record is logged and no longer pending.
@@ -260,6 +268,10 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 
 event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	c$dns$RD          = msg$RD;
 	c$dns$TC          = msg$TC;
 	c$dns$qclass      = qclass;
@@ -356,7 +368,8 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
 
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
-	c$dns$rejected = T;
+	if ( c?$dns )
+		c$dns$rejected = T;
 	}
 
 event connection_state_remove(c: connection) &priority=-5
diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro
index 8c04379c1c..bc97d529cd 100644
--- a/scripts/policy/protocols/dns/auth-addl.bro
+++ b/scripts/policy/protocols/dns/auth-addl.bro
@@ -21,6 +21,10 @@ export {
 
 event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=4
 	{
+	if ( msg$opcode != 0 )
+		# Currently only standard queries are tracked.
+		return;
+
 	# The "ready" flag will be set here.  This causes the setting from the 
 	# base script to be overridden since the base script will log immediately 
 	# after all of the ANS replies have been seen.
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index 1deb2583a9..8da50c3d30 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -4,10 +4,10 @@
       :linenos:
       :emphasize-lines: 1,1
 
-      # bro -b -r dns-session.trace connection_record_01.bro
-      [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+      # bro -b -r http/get.trace connection_record_01.bro
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=CXWv6p3arKYeMETxOg, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
       }], extract_orig=F, extract_resp=F]
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 42d0a56e21..c170dbc645 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -4,16 +4,14 @@
       :linenos:
       :emphasize-lines: 1,1
 
-      # bro -b -r dns-session.trace connection_record_02.bro
-      [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+      # bro -b -r http/get.trace connection_record_02.bro
+      [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=CXWv6p3arKYeMETxOg, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+      }, addl=, hot=0, history=ShADadFf, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, conn=[ts=1362692526.869344, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
       
-      }], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=[pending={
-      [34798] = [initialized=T, vals={
+      }], extract_orig=F, extract_resp=F, http=[ts=1362692526.939527, uid=CXWv6p3arKYeMETxOg, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, filename=<uninitialized>, tags={
       
-      }, settings=[max_len=<uninitialized>], top=1, bottom=1, size=0]
-      }, finished_answers={
+      }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
-      }]]
+      }, current_request=1, current_response=1]]
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output
index e4552b8580..12092ee2a0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/output
@@ -3,7 +3,7 @@
 connection_record_02.bro
 
 @load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http
 
 event connection_state_remove(c: connection)
     {
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log b/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
deleted file mode 100644
index 18d5769abf..0000000000
--- a/testing/btest/Baseline/scripts.policy.protocols.dns.event-priority/dns.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	dns
-#open	2013-08-26-19-04-37
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	table[string]	table[string]
-930613226.518174	CXWv6p3arKYeMETxOg	212.180.42.100	25000	131.243.64.3	53	tcp	34798	-	-	-	-	-	0	NOERROR	F	F	F	T	0	4.3.2.1	31337.000000	F	-	-
-#close	2013-08-26-19-04-37
diff --git a/testing/btest/Traces/dns-session.trace b/testing/btest/Traces/dns-inverse-query.trace
similarity index 100%
rename from testing/btest/Traces/dns-session.trace
rename to testing/btest/Traces/dns-inverse-query.trace
diff --git a/testing/btest/doc/sphinx/connection-record-01.btest b/testing/btest/doc/sphinx/connection-record-01.btest
index b379fb4fbe..3704d58932 100644
--- a/testing/btest/doc/sphinx/connection-record-01.btest
+++ b/testing/btest/doc/sphinx/connection-record-01.btest
@@ -1 +1 @@
-@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_01.bro
+@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro
diff --git a/testing/btest/doc/sphinx/connection-record-02.btest b/testing/btest/doc/sphinx/connection-record-02.btest
index 292503e12c..0b0c87c1f2 100644
--- a/testing/btest/doc/sphinx/connection-record-02.btest
+++ b/testing/btest/doc/sphinx/connection-record-02.btest
@@ -1 +1 @@
-@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_02.bro
+@TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest
index e4552b8580..12092ee2a0 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_connection_record_02_bro.btest
@@ -3,7 +3,7 @@
 connection_record_02.bro
 
 @load base/protocols/conn
-@load base/protocols/dns
+@load base/protocols/http
 
 event connection_state_remove(c: connection)
     {
diff --git a/testing/btest/scripts/policy/protocols/dns/event-priority.bro b/testing/btest/scripts/policy/protocols/dns/event-priority.bro
deleted file mode 100644
index 2165b102e8..0000000000
--- a/testing/btest/scripts/policy/protocols/dns/event-priority.bro
+++ /dev/null
@@ -1,4 +0,0 @@
-# @TEST-EXEC: bro -r $TRACES/dns-session.trace %INPUT 
-# @TEST-EXEC: btest-diff dns.log
-
-@load protocols/dns/auth-addl
diff --git a/testing/btest/scripts/policy/protocols/dns/inverse-request.bro b/testing/btest/scripts/policy/protocols/dns/inverse-request.bro
new file mode 100644
index 0000000000..d695060707
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/dns/inverse-request.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/dns-inverse-query.trace %INPUT 
+# @TEST-EXEC: test ! -e dns.log
+
+@load protocols/dns/auth-addl

From 62b3cb0a5b7bdd8fed1d7d0dae3337115b2feae7 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 28 Jan 2014 12:28:12 -0800
Subject: [PATCH 014/220] Also use exec-module test to check for leaks.

---
 testing/btest/core/leaks/exec.test | 80 ++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 testing/btest/core/leaks/exec.test

diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test
new file mode 100644
index 0000000000..887ab01d39
--- /dev/null
+++ b/testing/btest/core/leaks/exec.test
@@ -0,0 +1,80 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+# 
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b ../exectest.bro
+# @TEST-EXEC: btest-bg-wait 15
+
+@TEST-START-FILE exectest.bro
+
+@load base/utils/exec
+@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
+redef exit_only_after_terminate = T;
+
+global c: count = 0;
+
+function check_exit_condition()
+	{
+	c += 1;
+
+	if ( c == 3 )
+		terminate();
+	}
+
+function test_cmd(label: string, cmd: Exec::Command)
+	{
+	when ( local result = Exec::run(cmd) )
+		{
+		print label, result;
+		check_exit_condition();
+		}
+	}
+
+event bro_init()
+	{
+	test_cmd("test1", [$cmd="bash ../somescript.sh",
+	                   $read_files=set("out1", "out2")]);
+	test_cmd("test2", [$cmd="bash ../nofiles.sh"]);
+	# Not sure of a portable way to test signals yet.
+	#test_cmd("test3", [$cmd="bash ../suicide.sh"]);
+	test_cmd("test4", [$cmd="bash ../stdin.sh", $stdin="hibye"]);
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE somescript.sh
+#! /usr/bin/env bash
+echo "insert text here" > out1
+echo "and here" >> out1
+echo "insert more text here" > out2
+echo "and there" >> out2
+echo "done"
+echo "exit"
+echo "stop"
+@TEST-END-FILE
+
+@TEST-START-FILE nofiles.sh
+#! /usr/bin/env bash
+echo "here's something on stdout"
+echo "some more stdout"
+echo "last stdout"
+echo "and some stderr" 1>&2
+echo "more stderr" 1>&2
+echo "last stderr" 1>&2
+exit 1
+@TEST-END-FILE
+
+@TEST-START-FILE suicide.sh
+#! /usr/bin/env bash
+echo "FML"
+kill -9 $$
+echo "nope"
+@TEST-END-FILE
+
+@TEST-START-FILE stdin.sh
+#! /usr/bin/env bash
+read -r line
+echo "$line"
+@TEST-END-FILE

From 55a8725ce28891b8ea4a470334c093f4396566b5 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Wed, 29 Jan 2014 08:42:48 -0800
Subject: [PATCH 015/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index c4b5fb7336..9ff2e2ced6 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit c4b5fb7336f2b598cf69777a7ec91b4aa16cacd1
+Subproject commit 9ff2e2ced64a3bd4af1268154e261671a1153481

From 4c52c378d5873abb052d688251f0ec7f5aa1c514 Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Wed, 29 Jan 2014 11:23:31 -0600
Subject: [PATCH 016/220] Added some grammar and spelling corrections to
 Installation and Quick Start Guide.

---
 doc/install/guidelines.rst | 35 +++++++++++++++++------------------
 doc/install/install.rst    |  4 ++--
 doc/quickstart/index.rst   |  2 +-
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/doc/install/guidelines.rst b/doc/install/guidelines.rst
index 7835c83716..2e56b1b17e 100644
--- a/doc/install/guidelines.rst
+++ b/doc/install/guidelines.rst
@@ -12,32 +12,31 @@ local customizations over. In the following we summarize general
 guidelines for upgrading, see the :ref:`release-notes` for
 version-specific information.
 
-Re-Using Previous Install Prefix
+Reusing Previous Install Prefix
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 If you choose to configure and install Bro with the same prefix
 directory as before, local customization and configuration to files in
 ``$prefix/share/bro/site`` and ``$prefix/etc`` won't be overwritten
 (``$prefix`` indicating the root of where Bro was installed). Also, logs
-generated at run-time won't be touched by the upgrade. (But making
-a backup of local changes before upgrading is still recommended.)
+generated at run-time won't be touched by the upgrade. Backing up local 
+changes before upgrading is still recommended.
 
 After upgrading, remember to check ``$prefix/share/bro/site`` and
-``$prefix/etc`` for ``.example`` files, which indicate the
-distribution's version of the file differs from the local one, which may
-include local changes.  Review the differences, and make adjustments
-as necessary (for differences that aren't the result of a local change,
-use the new version's).
+``$prefix/etc`` for ``.example`` files, which indicate that the
+distribution's version of the file differs from the local one, and therefore, 
+may include local changes.  Review the differences and make adjustments
+as necessary. Use the new version for differences that aren't a result of 
+a local change.
 
-Using a New Install prefix
+Using a New Install Prefix
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-If you want to install the newer version in a different prefix
-directory than before, you can just copy local customization and
-configuration files from ``$prefix/share/bro/site`` and ``$prefix/etc``
-to the new location (``$prefix`` indicating the root of where Bro was
-originally installed).  Make sure to review the files for difference
-before copying and make adjustments as necessary (for differences that
-aren't the result of a local change, use the new version's).  Of
-particular note, the copied version of ``$prefix/etc/broctl.cfg`` is
-likely to need changes to the ``SpoolDir`` and ``LogDir`` settings.
+To install the newer version in a different prefix directory than before, 
+copy local customization and configuration files from ``$prefix/share/bro/site`` 
+and ``$prefix/etc`` to the new location (``$prefix`` indicating the root of 
+where Bro was originally installed).  Review the files for differences
+before copying and make adjustments as necessary (use the new version for
+differences that aren't a result of a local change).  Of particular note, 
+the copied version of ``$prefix/etc/broctl.cfg`` is likely to need changes 
+to the ``SpoolDir`` and ``LogDir`` settings.
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 7030c95642..7400d640fe 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -3,7 +3,7 @@
 .. _Xcode: https://developer.apple.com/xcode/
 .. _MacPorts: http://www.macports.org
 .. _Fink: http://www.finkproject.org
-.. _Homebrew: http://mxcl.github.com/homebrew
+.. _Homebrew: http://brew.sh
 .. _bro downloads page: http://bro.org/download/index.html
 
 .. _installing-bro:
@@ -144,7 +144,7 @@ Bro releases are bundled into source packages for convenience and are
 available on the `bro downloads page`_. Alternatively, the latest
 Bro development version can be obtained through git repositories
 hosted at ``git.bro.org``.  See our `git development documentation
-<http://bro.org/development/process.html>`_ for comprehensive
+<http://bro.org/development/howtos/process.html>`_ for comprehensive
 information on Bro's use of git revision control, but the short story
 for downloading the full source code experience for Bro via git is:
 
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index e8ead2cf01..85fdb88d7f 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -407,7 +407,7 @@ logging) and adds SSL certificate validation.
 You might notice that a script you load from the command line uses the
 ``@load`` directive in the Bro language to declare dependence on other scripts.
 This directive is similar to the ``#include`` of C/C++, except the semantics
-are "load this script if it hasn't already been loaded".
+are, "load this script if it hasn't already been loaded."
 
 .. note:: If one wants Bro to be able to load scripts that live outside the
    default directories in Bro's installation root, the ``BROPATH`` environment

From 1842d324cb919c125cff727ff73655503f50bfb6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 29 Jan 2014 15:34:24 -0600
Subject: [PATCH 017/220] Extend file analysis API to allow file ID caching,
 adapt HTTP to use it.

This allows an analyzer to either provide file IDs associated with some
file content or to cache a file ID that was already determined by
script-layer logic so that subsequent calls to the file analysis
interface can bypass costly detours through script-layer.  This can
yield a decent performance improvement for analyzers that are able to
take advantage of it and deal with streaming content (like HTTP).
---
 src/analyzer/protocol/http/HTTP.cc | 16 ++++---
 src/analyzer/protocol/http/HTTP.h  |  1 +
 src/file_analysis/Manager.cc       | 67 +++++++++++++++++++-----------
 src/file_analysis/Manager.h        | 51 +++++++++++++++++++----
 4 files changed, 95 insertions(+), 40 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index ffdcad226f..f9b9496992 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -242,10 +242,11 @@ int HTTP_Entity::Undelivered(int64_t len)
 	if ( end_of_data && in_header )
 		return 0;
 
-	file_mgr->Gap(body_length, len,
+	cached_file_id = file_mgr->Gap(body_length, len,
 	              http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 	              http_message->MyHTTP_Analyzer()->Conn(),
-	              http_message->IsOrig());
+	              http_message->IsOrig(),
+	              cached_file_id);
 
 	if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
 		{
@@ -314,15 +315,18 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 	else
 		{
 		if ( send_size && content_length > 0 )
-			file_mgr->SetSize(content_length,
+			cached_file_id = file_mgr->SetSize(content_length,
 			                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			                  http_message->MyHTTP_Analyzer()->Conn(),
-			                  http_message->IsOrig());
+			                  http_message->IsOrig(),
+			                  cached_file_id);
 
-		file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
+		cached_file_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf),
+		                 len,
 		                 http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 		                 http_message->MyHTTP_Analyzer()->Conn(),
-		                 http_message->IsOrig());
+		                 http_message->IsOrig(),
+		                 cached_file_id);
 		}
 
 	send_size = false;
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 8339e48e3b..9951fa461b 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -64,6 +64,7 @@ protected:
 	uint64_t offset;
 	int64_t instance_length; // total length indicated by content-range
 	bool send_size; // whether to send size indication to FAF
+	std::string cached_file_id;
 
 	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
 
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 0337dbb098..56192e5bf4 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -75,36 +75,47 @@ void Manager::SetHandle(const string& handle)
 	current_file_id = HashHandle(handle);
 	}
 
-void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
-                     analyzer::Tag tag, Connection* conn, bool is_orig)
+string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
+                       analyzer::Tag tag, Connection* conn, bool is_orig,
+                       const string& cached_id)
 	{
-	GetFileHandle(tag, conn, is_orig);
-	File* file = GetFile(current_file_id, conn, tag, is_orig);
+	string id = cached_id.empty() ? GetFileID(tag, conn, is_orig) : cached_id;
+	File* file = GetFile(id, conn, tag, is_orig);
 
 	if ( ! file )
-		return;
+		return "";
 
 	file->DataIn(data, len, offset);
 
 	if ( file->IsComplete() )
+		{
 		RemoveFile(file->GetID());
+		return "";
+		}
+
+	return id;
 	}
 
-void Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
-                     Connection* conn, bool is_orig)
+string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
+                       Connection* conn, bool is_orig, const string& cached_id)
 	{
-	GetFileHandle(tag, conn, is_orig);
+	string id = cached_id.empty() ? GetFileID(tag, conn, is_orig) : cached_id;
 	// Sequential data input shouldn't be going over multiple conns, so don't
 	// do the check to update connection set.
-	File* file = GetFile(current_file_id, conn, tag, is_orig, false);
+	File* file = GetFile(id, conn, tag, is_orig, false);
 
 	if ( ! file )
-		return;
+		return "";
 
 	file->DataIn(data, len);
 
 	if ( file->IsComplete() )
+		{
 		RemoveFile(file->GetID());
+		return "";
+		}
+
+	return id;
 	}
 
 void Manager::DataIn(const u_char* data, uint64 len, const string& file_id,
@@ -133,8 +144,7 @@ void Manager::EndOfFile(analyzer::Tag tag, Connection* conn)
 void Manager::EndOfFile(analyzer::Tag tag, Connection* conn, bool is_orig)
 	{
 	// Don't need to create a file if we're just going to remove it right away.
-	GetFileHandle(tag, conn, is_orig);
-	RemoveFile(current_file_id);
+	RemoveFile(GetFileID(tag, conn, is_orig));
 	}
 
 void Manager::EndOfFile(const string& file_id)
@@ -142,31 +152,37 @@ void Manager::EndOfFile(const string& file_id)
 	RemoveFile(file_id);
 	}
 
-void Manager::Gap(uint64 offset, uint64 len, analyzer::Tag tag,
-                  Connection* conn, bool is_orig)
+string Manager::Gap(uint64 offset, uint64 len, analyzer::Tag tag,
+                    Connection* conn, bool is_orig, const string& cached_id)
 	{
-	GetFileHandle(tag, conn, is_orig);
-	File* file = GetFile(current_file_id, conn, tag, is_orig);
+	string id = cached_id.empty() ? GetFileID(tag, conn, is_orig) : cached_id;
+	File* file = GetFile(id, conn, tag, is_orig);
 
 	if ( ! file )
-		return;
+		return "";
 
 	file->Gap(offset, len);
+	return id;
 	}
 
-void Manager::SetSize(uint64 size, analyzer::Tag tag, Connection* conn,
-                      bool is_orig)
+string Manager::SetSize(uint64 size, analyzer::Tag tag, Connection* conn,
+                        bool is_orig, const string& cached_id)
 	{
-	GetFileHandle(tag, conn, is_orig);
-	File* file = GetFile(current_file_id, conn, tag, is_orig);
+	string id = cached_id.empty() ? GetFileID(tag, conn, is_orig) : cached_id;
+	File* file = GetFile(id, conn, tag, is_orig);
 
 	if ( ! file )
-		return;
+		return "";
 
 	file->SetTotalBytes(size);
 
 	if ( file->IsComplete() )
+		{
 		RemoveFile(file->GetID());
+		return "";
+		}
+
+	return id;
 	}
 
 bool Manager::SetTimeoutInterval(const string& file_id, double interval) const
@@ -317,15 +333,15 @@ bool Manager::IsIgnored(const string& file_id)
 	return ignored.find(file_id) != ignored.end();
 	}
 
-void Manager::GetFileHandle(analyzer::Tag tag, Connection* c, bool is_orig)
+string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
 	{
 	current_file_id.clear();
 
 	if ( IsDisabled(tag) )
-		return;
+		return "";
 
 	if ( ! get_file_handle )
-		return;
+		return "";
 
 	EnumVal* tagval = tag.AsEnumVal();
 	Ref(tagval);
@@ -337,6 +353,7 @@ void Manager::GetFileHandle(analyzer::Tag tag, Connection* c, bool is_orig)
 
 	mgr.QueueEvent(get_file_handle, vl);
 	mgr.Drain(); // need file handle immediately so we don't have to buffer data
+	return current_file_id;
 	}
 
 bool Manager::IsDisabled(analyzer::Tag tag)
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index cf73c6b52d..ce8aa6b7d7 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -82,9 +82,17 @@ public:
 	 * @param conn network connection over which the file data is transferred.
 	 * @param is_orig true if the file is being sent from connection originator
 	 *        or false if is being sent in the opposite direction.
+	 * @param cached_file_id may be set to a previous return value in order to
+	 *        bypass costly file handle lookups.
+	 * @return a unique file ID string which, in certain contexts, may be
+	 *         cached and passed back in to a subsequent function call in order
+	 *         to avoid costly file handle lookups (which have to go through
+	 *         the \c get_file_handle script-layer event).  An empty string
+	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	void DataIn(const u_char* data, uint64 len, uint64 offset,
-		    analyzer::Tag tag, Connection* conn, bool is_orig);
+	std::string DataIn(const u_char* data, uint64 len, uint64 offset,
+	                   analyzer::Tag tag, Connection* conn, bool is_orig,
+	                   const std::string& cached_file_id = "");
 
 	/**
 	 * Pass in sequential file data.
@@ -94,9 +102,17 @@ public:
 	 * @param conn network connection over which the file data is transferred.
 	 * @param is_orig true if the file is being sent from connection originator
 	 *        or false if is being sent in the opposite direction.
+	 * @param cached_file_id may be set to a previous return value in order to
+	 *        bypass costly file handle lookups.
+	 * @return a unique file ID string which, in certain contexts, may be
+	 *         cached and passed back in to a subsequent function call in order
+	 *         to avoid costly file handle lookups (which have to go through
+	 *         the \c get_file_handle script-layer event).  An empty string
+	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	void DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
-	            Connection* conn, bool is_orig);
+	std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
+	                   Connection* conn, bool is_orig,
+	                   const std::string& cached_file_id = "");
 
 	/**
 	 * Pass in sequential file data from external source (e.g. input framework).
@@ -140,9 +156,17 @@ public:
 	 * @param conn network connection over which the file data is transferred.
 	 * @param is_orig true if the file is being sent from connection originator
 	 *        or false if is being sent in the opposite direction.
+	 * @param cached_file_id may be set to a previous return value in order to
+	 *        bypass costly file handle lookups.
+	 * @return a unique file ID string which, in certain contexts, may be
+	 *         cached and passed back in to a subsequent function call in order
+	 *         to avoid costly file handle lookups (which have to go through
+	 *         the \c get_file_handle script-layer event).  An empty string
+	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	void Gap(uint64 offset, uint64 len, analyzer::Tag tag, Connection* conn,
-	         bool is_orig);
+	std::string Gap(uint64 offset, uint64 len, analyzer::Tag tag,
+	                Connection* conn, bool is_orig,
+	                const std::string& cached_file_id = "");
 
 	/**
 	 * Provide the expected number of bytes that comprise a file.
@@ -151,9 +175,16 @@ public:
 	 * @param conn network connection over which the file data is transferred.
 	 * @param is_orig true if the file is being sent from connection originator
 	 *        or false if is being sent in the opposite direction.
+	 * @param cached_file_id may be set to a previous return value in order to
+	 *        bypass costly file handle lookups.
+	 * @return a unique file ID string which, in certain contexts, may be
+	 *         cached and passed back in to a subsequent function call in order
+	 *         to avoid costly file handle lookups (which have to go through
+	 *         the \c get_file_handle script-layer event).  An empty string
+	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	void SetSize(uint64 size, analyzer::Tag tag, Connection* conn,
-	             bool is_orig);
+	std::string SetSize(uint64 size, analyzer::Tag tag, Connection* conn,
+	                    bool is_orig, const std::string& cached_file_id = "");
 
 	/**
 	 * Starts ignoring a file, which will finally be removed from internal
@@ -283,8 +314,10 @@ protected:
 	 * @param conn network connection over which the file is transferred.
 	 * @param is_orig true if the file is being sent from connection originator
 	 *        or false if is being sent in the opposite direction.
+	 * @return #current_file_id, which is a hash of a unique file handle string
+	 *         set by a \c get_file_handle event handler.
 	 */
-	void GetFileHandle(analyzer::Tag tag, Connection* c, bool is_orig);
+	std::string GetFileID(analyzer::Tag tag, Connection* c, bool is_orig);
 
 	/**
 	 * Check if analysis is available for files transferred over a given

From 2b84af5b80fc943c84a5675ec9cb0975fa35952f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 29 Jan 2014 17:11:20 -0600
Subject: [PATCH 018/220] Revert use of HTTP file ID caching for gaps range
 request content.

Just an oversight on my part, this makes the use of file ID caching
consistent between the uses of the DataIn and Gap interfaces.
---
 src/analyzer/protocol/http/HTTP.cc | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f9b9496992..3e74ca645c 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -242,11 +242,17 @@ int HTTP_Entity::Undelivered(int64_t len)
 	if ( end_of_data && in_header )
 		return 0;
 
-	cached_file_id = file_mgr->Gap(body_length, len,
-	              http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
-	              http_message->MyHTTP_Analyzer()->Conn(),
-	              http_message->IsOrig(),
-	              cached_file_id);
+	if ( is_partial_content )
+		file_mgr->Gap(body_length, len,
+		              http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
+		              http_message->MyHTTP_Analyzer()->Conn(),
+		              http_message->IsOrig());
+	else
+		cached_file_id = file_mgr->Gap(body_length, len,
+		                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
+		                  http_message->MyHTTP_Analyzer()->Conn(),
+		                  http_message->IsOrig(),
+		                  cached_file_id);
 
 	if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
 		{

From c7cacb56b8d0efaf79d03466563025b43d12ba74 Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Thu, 30 Jan 2014 13:13:26 -0600
Subject: [PATCH 019/220] Updates to Bro IDS documentation

---
 doc/broids/index.rst | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/doc/broids/index.rst b/doc/broids/index.rst
index 46e0d6ded6..d401dbcf34 100644
--- a/doc/broids/index.rst
+++ b/doc/broids/index.rst
@@ -16,18 +16,18 @@ In the following sections, we present a few examples of common uses of
 Bro as an IDS.
 
 ------------------------------------------------
-Detecting an FTP Bruteforce attack and notifying
+Detecting an FTP Brute-force Attack and Notifying
 ------------------------------------------------
 
-For the purpose of this exercise, we define FTP bruteforcing as too many
+For the purpose of this exercise, we define FTP brute-forcing as too many
 rejected usernames and passwords occurring from a single address.  We
-start by defining a threshold for the number of attempts and a
-monitoring interval in minutes as well as a new notice type.
+start by defining a threshold for the number of attempts, a monitoring 
+interval (in minutes), and a new notice type.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
     :lines: 9-25
 
-Now, using the ftp_reply event, we check for error codes from the `500
+Using the ftp_reply event, we check for error codes from the `500
 series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_
 for the "USER" and "PASS" commands, representing rejected usernames or
 passwords. For this, we can use the :bro:see:`FTP::parse_ftp_reply_code`
@@ -38,9 +38,9 @@ function to break down the reply code and check if the first digit is a
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
     :lines: 52-60
 
-Next, we use the SumStats framework to raise a notice of the attack of
-the attack when the number of failed attempts exceeds the specified
-threshold during the measuring interval.
+Next, we use the SumStats framework to raise a notice of the attack when 
+the number of failed attempts exceeds the specified threshold during the 
+measuring interval.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
     :lines: 28-50
@@ -56,14 +56,14 @@ Below is the final code for our script.
 
 As a final note, the :doc:`detect-bruteforcing.bro
 </scripts/policy/protocols/ftp/detect-bruteforcing.bro>` script above is
-include with Bro out of the box, so you only need to load it at startup
-to instruct Bro to detect and notify of FTP bruteforce attacks.
+included with Bro out of the box.  Use this feature by loading this script 
+during startup.
 
 -------------
 Other Attacks
 -------------
 
-Detecting SQL Injection attacks
+Detecting SQL Injection Attacks
 -------------------------------
 
 Checking files against known malware hashes
@@ -76,5 +76,4 @@ list of known malware hashes. Bro simplifies this task by offering a
 :doc:`detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>`
 script that creates and compares hashes against the `Malware Hash
 Registry <https://www.team-cymru.org/Services/MHR/>`_ maintained by Team
-Cymru. You only need to load this script along with your other scripts
-at startup time.
+Cymru. Use this feature by loading this script during startup.

From 2e2cb0ffc9e85cf163e0488104fc62238a50e4dc Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Thu, 30 Jan 2014 13:22:25 -0600
Subject: [PATCH 020/220] Updates to Logs and Cluster documentation

---
 doc/cluster/index.rst | 127 +++++++++++++++++++++++++++++++++++-------
 doc/logs/index.rst    |  51 ++++++++---------
 2 files changed, 133 insertions(+), 45 deletions(-)

diff --git a/doc/cluster/index.rst b/doc/cluster/index.rst
index 6de70d38cc..c4df063db5 100644
--- a/doc/cluster/index.rst
+++ b/doc/cluster/index.rst
@@ -6,7 +6,13 @@ Setting up a Bro Cluster
 Intro
 ------
 
-Bro is not multithreaded, so once the limitations of a single processor core are reached, the only option currently is to spread the workload across many cores or even many physical computers.  The cluster deployment scenario for Bro is the current solution to build these larger systems.  The accompanying tools and scripts provide the structure to easily manage many Bro processes examining packets and doing correlation activities but acting as a singular, cohesive entity.  
+Bro is not multithreaded, so once the limitations of a single processor core 
+are reached the only option currently is to spread the workload across many 
+cores, or even many physical computers. The cluster deployment scenario for 
+Bro is the current solution to build these larger systems. The accompanying 
+tools and scripts provide the structure to easily manage many Bro processes 
+examining packets and doing correlation activities but acting as a singular, 
+cohesive entity.  
 
 Architecture
 ---------------
@@ -17,42 +23,98 @@ The figure below illustrates the main components of a Bro cluster.
 
 Tap
 ***
-This is a mechanism that splits the packet stream in order to make a copy
-available for inspection. Examples include the monitoring port on a switch and
-an optical splitter for fiber networks.
+The tap is a mechanism that splits the packet stream in order to make a copy
+available for inspection. Examples include the monitoring port on a switch 
+and an optical splitter on fiber networks.
 
 Frontend 
 ********
-This is a discrete hardware device or on-host technique that will split your traffic into many streams or flows.  The Bro binary does not do this job.  There are numerous ways to accomplish this task, some of which are described below in `Frontend Options`_.
+The frontend is a discrete hardware device or on-host technique that splits 
+traffic into many streams or flows. The Bro binary does not do this job. 
+There are numerous ways to accomplish this task, some of which are described 
+below in `Frontend Options`_.
 
 Manager
 *******
-This is a Bro process which has two primary jobs.  It receives log messages and notices from the rest of the nodes in the cluster using the Bro communications protocol.  The result is that you will end up with single logs for each log instead of many discrete logs that you have to later combine in some manner with post processing.  The manager also takes the opportunity to de-duplicate notices and it has the ability to do so since it’s acting as the choke point for notices and how notices might be processed into actions such as emailing, paging, or blocking.
+The manager is a Bro process that has two primary jobs.  It receives log 
+messages and notices from the rest of the nodes in the cluster using the Bro 
+communications protocol.  The result is a single log instead of many 
+discrete logs that you have to combine in some manner with post-processing. 
+The manager also takes the opportunity to de-duplicate notices, and it has the 
+ability to do so since it’s acting as the choke point for notices and how notices 
+might be processed into actions (e.g., emailing, paging, or blocking).
 
-The manager process is started first by BroControl and it only opens it’s designated port and waits for connections, it doesn’t initiate any connections to the rest of the cluster.  Once the workers are started and connect to the manager, logs and notices will start arriving to the manager process from the workers.
+The manager process is started first by BroControl and it only opens its 
+designated port and waits for connections, it doesn’t initiate any 
+connections to the rest of the cluster.  Once the workers are started and 
+connect to the manager, logs and notices will start arriving to the manager 
+process from the workers.
 
 Proxy
 *****
-This is a Bro process which manages synchronized state.  Variables can be synchronized across connected Bro processes automatically in Bro and proxies will help the workers by alleviating the need for all of the workers to connect directly to each other.  
+The proxy is a Bro process that manages synchronized state.  Variables can 
+be synchronized across connected Bro processes automatically. Proxies help 
+the workers by alleviating the need for all of the workers to connect 
+directly to each other.  
 
-Examples of synchronized state from the scripts that ship with Bro are things such as the full list of “known” hosts and services which are hosts or services which have been detected as performing full TCP handshakes or an analyzed protocol has been found on the connection.  If worker A detects host 1.2.3.4 as an active host, it would be beneficial for worker B to know that as well so worker A shares that information as an insertion to a set <link to set documentation would be good here> which travels to the cluster’s proxy and the proxy then sends that same set insertion to worker B.  The result is that worker A and worker B have shared knowledge about host and services that are active on the network being monitored.  
+Examples of synchronized state from the scripts that ship with Bro include 
+the full list of “known” hosts and services (which are hosts or services 
+identified as performing full TCP handshakes) or an analyzed protocol has been 
+found on the connection.  If worker A detects host 1.2.3.4 as an active host, 
+it would be beneficial for worker B to know that as well.  So worker A shares 
+that information as an insertion to a set 
+<link to set documentation would be good here> which travels to the cluster’s 
+proxy and the proxy sends that same set insertion to worker B. The result 
+is that worker A and worker B have shared knowledge about host and services 
+that are active on the network being monitored.  
 
-The proxy model extends to having multiple proxies as well if necessary for performance reasons, it only adds one additional step for the Bro processes.  Each proxy connects to another proxy in a ring and the workers are shared between them as evenly as possible.  When a proxy receives some new bit of state, it will share that with it’s proxy which is then shared around the ring of proxies and down to all of the workers.  From a practical standpoint, there are no rules of thumb established yet for the number of proxies necessary for the number of workers they are serving.  Best is to start with a single proxy and add more if communication performance problems are found.
+The proxy model extends to having multiple proxies when necessary for 
+performance reasons. It only adds one additional step for the Bro processes. 
+Each proxy connects to another proxy in a ring and the workers are shared 
+between them as evenly as possible.  When a proxy receives some new bit of 
+state it will share that with its proxy, which is then shared around the 
+ring of proxies, and down to all of the workers.  From a practical standpoint, 
+there are no rules of thumb established for the number of proxies 
+necessary for the number of workers they are serving.  It is best to start 
+with a single proxy and add more if communication performance problems are 
+found.
 
-Bro processes acting as proxies don’t tend to be extremely intense to CPU or memory and users frequently run proxy processes on the same physical host as the manager.
+Bro processes acting as proxies don’t tend to be extremely hard on CPU 
+or memory and users frequently run proxy processes on the same physical 
+host as the manager.
 
 Worker
 ******
-This is the Bro process that sniffs network traffic and does protocol analysis on the reassembled traffic streams.  Most of the work of an active cluster takes place on the workers and as such, the workers typically represent the bulk of the Bro processes that are running in a cluster.  The fastest memory and CPU core speed you can afford is best here since all of the protocol parsing and most analysis will take place here.   There are no particular requirements for the disks in workers since almost all logging is done remotely to the manager and very little is normally written to disk.
+The worker is the Bro process that sniffs network traffic and does protocol 
+analysis on the reassembled traffic streams.  Most of the work of an active 
+cluster takes place on the workers and as such, the workers typically 
+represent the bulk of the Bro processes that are running in a cluster. 
+The fastest memory and CPU core speed you can afford is recommended 
+since all of the protocol parsing and most analysis will take place here. 
+There are no particular requirements for the disks in workers since almost all 
+logging is done remotely to the manager, and normally very little is written 
+to disk.
 
-The rule of thumb we have followed recently is to allocate approximately 1 core for every 80Mbps of traffic that is being analyzed, however this estimate could be extremely traffic mix specific.  It has generally worked for mixed traffic with many users and servers.  For example, if your traffic peaks around 2Gbps (combined) and you want to handle traffic at peak load, you may want to have 26 cores available (2048 / 80 == 25.6).  If the 80Mbps estimate works for your traffic, this could be handled by 3 physical hosts dedicated to being workers with each one containing dual 6-core processors.  
+The rule of thumb we have followed recently is to allocate approximately 1 
+core for every 80Mbps of traffic that is being analyzed. However, this 
+estimate could be extremely traffic mix-specific.  It has generally worked 
+for mixed traffic with many users and servers.  For example, if your traffic 
+peaks around 2Gbps (combined) and you want to handle traffic at peak load, 
+you may want to have 26 cores available (2048 / 80 == 25.6).  If the 80Mbps 
+estimate works for your traffic, this could be handled by 3 physical hosts 
+dedicated to being workers with each one containing dual 6-core processors.  
 
-Once a flow based load balancer is put into place this model is extremely easy to scale as well so it’s recommended that you guess at the amount of hardware you will need to fully analyze your traffic.  If it turns out that you need more, it’s relatively easy to increase the size of the cluster in most cases.
+Once a flow-based load balancer is put into place this model is extremely 
+easy to scale. It is recommended that you estimate the amount of 
+hardware you will need to fully analyze your traffic.  If more is needed it’s 
+relatively easy to increase the size of the cluster in most cases.
 
 Frontend Options
 ----------------
 
-There are many options for setting up a frontend flow distributor and in many cases it may even be beneficial to do multiple stages of flow distribution on the network and on the host.
+There are many options for setting up a frontend flow distributor.  In many 
+cases it is beneficial to do multiple stages of flow distribution 
+on the network and on the host.
 
 Discrete hardware flow balancers
 ********************************
@@ -60,12 +122,24 @@ Discrete hardware flow balancers
 cPacket
 ^^^^^^^
 
-If you are monitoring one or more 10G physical interfaces, the recommended solution is to use either a cFlow or cVu device from cPacket because they are currently being used very successfully at a number of sites.  These devices will perform layer-2 load balancing by rewriting the destination ethernet MAC address to cause each packet associated with a particular flow to have the same destination MAC.  The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers.  This can ultimately greatly reduce costs since workers can use relatively inexpensive 1G interfaces.
+If you are monitoring one or more 10G physical interfaces, the recommended 
+solution is to use either a cFlow or cVu device from cPacket because they 
+are used successfully at a number of sites.  These devices will perform 
+layer-2 load balancing by rewriting the destination Ethernet MAC address 
+to cause each packet associated with a particular flow to have the same 
+destination MAC.  The packets can then be passed directly to a monitoring 
+host where each worker has a BPF filter to limit its visibility to only that 
+stream of flows, or onward to a commodity switch to split the traffic out to 
+multiple 1G interfaces for the workers.  This greatly reduces
+costs since workers can use relatively inexpensive 1G interfaces.
 
 OpenFlow Switches
 ^^^^^^^^^^^^^^^^^
 
-We are currently exploring the use of OpenFlow based switches to do flow based load balancing directly on the switch which can greatly reduce frontend costs for many users.  This document will be updated when we have more information.
+We are currently exploring the use of OpenFlow based switches to do flow-based 
+load balancing directly on the switch, which greatly reduces frontend 
+costs for many users.  This document will be updated when we have more 
+information.
 
 On host flow balancing
 **********************
@@ -73,14 +147,27 @@ On host flow balancing
 PF_RING
 ^^^^^^^
 
-The PF_RING software for Linux has a “clustering” feature which will do flow based load balancing across a number of processes that are sniffing the same interface.  This will allow you to easily take advantage of multiple cores in a single physical host because Bro’s main event loop is single threaded and can’t natively utilize all of the cores.  More information about Bro with PF_RING can be found here: (someone want to write a quick Bro/PF_RING tutorial to link to here?  document installing kernel module, libpcap wrapper, building Bro with the --with-pcap configure option)
+The PF_RING software for Linux has a “clustering” feature which will do 
+flow-based load balancing across a number of processes that are sniffing the 
+same interface.  This allows you to easily take advantage of multiple 
+cores in a single physical host because Bro’s main event loop is single 
+threaded and can’t natively utilize all of the cores.  More information about 
+Bro with PF_RING can be found here: (someone want to write a quick Bro/PF_RING 
+tutorial to link to here?  document installing kernel module, libpcap 
+wrapper, building Bro with the --with-pcap configure option)
 
 Netmap
 ^^^^^^
 
-FreeBSD has an in-progress project named Netmap which will enable flow based load balancing as well.  When it becomes viable for real world use, this document will be updated.
+FreeBSD has an in-progress project named Netmap which will enable flow-based 
+load balancing as well.  When it becomes viable for real world use, this 
+document will be updated.
 
 Click! Software Router
 ^^^^^^^^^^^^^^^^^^^^^^
 
-Click! can be used for flow based load balancing with a simple configuration.  (link to an example for the config).  This solution is not recommended on Linux due to Bro’s PF_RING support and only as a last resort on other operating systems since it causes a lot of overhead due to context switching back and forth between kernel and userland several times per packet.
+Click! can be used for flow based load balancing with a simple configuration. 
+(link to an example for the config).  This solution is not recommended on 
+Linux due to Bro’s PF_RING support and only as a last resort on other 
+operating systems since it causes a lot of overhead due to context switching 
+back and forth between kernel and userland several times per packet.
diff --git a/doc/logs/index.rst b/doc/logs/index.rst
index b71546db72..ced9a78faa 100644
--- a/doc/logs/index.rst
+++ b/doc/logs/index.rst
@@ -24,17 +24,17 @@ Working with Log Files
 
 Generally, all of Bro's log files are produced by a corresponding
 script that defines their individual structure. However, as each log
-file flows through the Logging Framework, there share a set of
+file flows through the Logging Framework, they share a set of
 structural similarities. Without breaking into the scripting aspect of
-Bro here, a bird's eye view of how the log files are produced would
-progress as follows.  The script's author defines the kinds of data,
+Bro here, a bird's eye view of how the log files are produced
+progresses as follows.  The script's author defines the kinds of data,
 such as the originating IP address or the duration of a connection,
 which will make up the fields (i.e., columns) of the log file.  The
 author then decides what network activity should generate a single log
-file entry (i.e., one line); that could, e.g., be a connection having
-been completed or an HTTP ``GET`` method being issued by an
+file entry (i.e., one line). For example, this could be a connection 
+having been completed or an HTTP ``GET`` request being issued by an
 originator. When these behaviors are observed during operation, the
-data is passed to the Logging Framework which, in turn, adds the entry
+data is passed to the Logging Framework which adds the entry
 to the appropriate log file.
 
 As the fields of the log entries can be further customized by the
@@ -57,7 +57,7 @@ data, the string ``(empty)`` as the indicator for an empty field and
 the ``-`` character as the indicator for a field that hasn't been set.
 The timestamp for when the file was created is included under
 ``#open``. The header then goes on to detail the fields being listed
-in the file and the data types of those fields in ``#fields`` and
+in the file and the data types of those fields, in ``#fields`` and
 ``#types``, respectively. These two entries are often the two most
 significant points of interest as they detail not only the field names
 but the data types used. When navigating through the different log
@@ -66,12 +66,12 @@ definitions readily available saves the user some mental leg work. The
 field names are also a key resource for using the :ref:`bro-cut
 <bro-cut>` utility included with Bro, see below.
 
-Next to the header follows the main content; in this example we see 7
+Next to the header follows the main content. In this example we see 7
 connections with their key properties, such as originator and
-responder IP addresses (note how Bro transparely handles both IPv4 and
-IPv6), transport-layer ports, application-layer services - the
-``service`` field is filled ias Bro determines a specific protocol to
-be in use, independent of the connection's ports - payload size, and
+responder IP addresses (note how Bro transparently handles both IPv4 and
+IPv6), transport-layer ports, application-layer services ( - the
+``service`` field is filled in as Bro determines a specific protocol to
+be in use, independent of the connection's ports), payload size, and
 more. See :bro:type:`Conn::Info` for a description of all fields.
 
 In addition to ``conn.log``, Bro generates many further logs by
@@ -87,8 +87,8 @@ default, including:
     A log of FTP session-level activity.
 
 ``files.log``
-    Summaries of files transfered over the network. This information
-    is aggregrated from different protocols, including HTTP, FTP, and
+    Summaries of files transferred over the network. This information
+    is aggregated from different protocols, including HTTP, FTP, and
     SMTP.
 
 ``http.log``
@@ -106,7 +106,7 @@ default, including:
 ``weird.log``
     A log of unexpected protocol-level activity. Whenever Bro's
     protocol analysis encounters a situation it would not expect
-    (e.g., an RFC violation) is logs it in this file. Note that in
+    (e.g., an RFC violation) it logs it in this file. Note that in
     practice, real-world networks tend to exhibit a large number of
     such "crud" that is usually not worth following up on.
 
@@ -120,7 +120,7 @@ Using ``bro-cut``
 
 The ``bro-cut`` utility can be used in place of other tools to build
 terminal commands that remain flexible and accurate independent of
-possible changes to log file itself.  It accomplishes this by parsing
+possible changes to the log file itself.  It accomplishes this by parsing
 the header in each file and allowing the user to refer to the specific
 columnar data available (in contrast to tools like ``awk`` that
 require the user to refer to fields referenced by their position).
@@ -131,7 +131,7 @@ from a ``conn.log``:
 
    @TEST-EXEC: btest-rst-cmd -n 10 "cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration"
 
-The correspding ``awk`` command would look like this:
+The corresponding ``awk`` command will look like this:
 
 .. btest:: using_bro
 
@@ -185,8 +185,8 @@ Working with Timestamps
 
 ``bro-cut`` accepts the flag ``-d`` to convert the epoch time values
 in the log files to human-readable format.  The following command
-includes the human readable time stamp, the unique identifier and the
-HTTP ``Host`` and HTTP ``URI`` as extracted from the ``http.log``
+includes the human readable time stamp, the unique identifier, the
+HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log``
 file:
 
 .. btest:: using_bro
@@ -218,7 +218,7 @@ See ``man strfime`` for more options for the format string.
 Using UIDs
 ----------
 
-While Bro can do signature based analysis, its primary focus is on
+While Bro can do signature-based analysis, its primary focus is on
 behavioral detection which alters the practice of log review from
 "reactionary review" to a process a little more akin to a hunting
 trip.  A common progression of review includes correlating a session
@@ -254,12 +254,13 @@ network.
 -----------------------
 Common Log Files
 -----------------------
-As a monitoring tool, Bro records a detailed view of the traffic inspected and the events generated in 
-a series of relevant log files. These files can later be reviewed for monitoring, auditing and troubleshooting 
-purposes.
+As a monitoring tool, Bro records a detailed view of the traffic inspected 
+and the events generated in a series of relevant log files. These files can 
+later be reviewed for monitoring, auditing and troubleshooting purposes.
 
-In this section we present a brief explanation of the most commonly used log files generated by Bro including links 
-to descriptions of some of the fields for each log type.
+In this section we present a brief explanation of the most commonly used log 
+files generated by Bro including links to descriptions of some of the fields 
+for each log type.
 
 +-----------------+---------------------------------------+------------------------------+
 | Log File        | Description                           | Field Descriptions           |

From 121db68c302b82be9d83e64f6a12aba85d9ac243 Mon Sep 17 00:00:00 2001
From: Jeannette Dopheide <jdopheid@illinois.edu>
Date: Thu, 30 Jan 2014 13:23:58 -0600
Subject: [PATCH 021/220] Updates to httpmonitor and mimestats documentation.

---
 doc/httpmonitor/index.rst | 21 ++++++++++-----------
 doc/mimestats/index.rst   | 32 ++++++++++++++++----------------
 2 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/doc/httpmonitor/index.rst b/doc/httpmonitor/index.rst
index f6b2f5e122..5a4f28ebfe 100644
--- a/doc/httpmonitor/index.rst
+++ b/doc/httpmonitor/index.rst
@@ -10,7 +10,7 @@ http.log file.  This file can then be used for analysis and auditing
 purposes.
 
 In the sections below we briefly explain the structure of the http.log
-file. Then, we show you how to perform basic HTTP traffic monitoring and
+file, then we show you how to perform basic HTTP traffic monitoring and
 analysis tasks with Bro. Some of these ideas and techniques can later be
 applied to monitor different protocols in a similar way.
 
@@ -40,11 +40,10 @@ request to the root of Bro website::
 
 Network administrators and security engineers, for instance, can use the
 information in this log to understand the HTTP activity on the network
-and troubleshoot network problems or search for anomalous activities. At
-this point, we would like to stress out the fact that there is no just
-one right way to perform analysis; it will depend on the expertise of
-the person doing the analysis and the specific details of the task to
-accomplish.
+and troubleshoot network problems or search for anomalous activities. We must 
+stress that there is no single right way to perform an analysis. It will 
+depend on the expertise of the person performing the analysis and the 
+specific details of the task.
 
 For more information about how to handle the HTTP protocol in Bro,
 including a complete list of the fields available in http.log, go to
@@ -58,15 +57,15 @@ Detecting a Proxy Server
 A proxy server is a device on your network configured to request a
 service on behalf of a third system; one of the most common examples is
 a Web proxy server. A client without Internet access connects to the
-proxy and requests a Web page; the proxy then sends the request to the
-actual Web server, receives the response and passes it to the original
+proxy and requests a web page, the proxy sends the request to the web 
+server, which receives the response, and passes it to the original 
 client.
 
 Proxies were conceived to help manage a network and provide better
-encapsulation. By themselves, proxies are not a security threat, but a
+encapsulation. Proxies by themselves are not a security threat, but a
 misconfigured or unauthorized proxy can allow others, either inside or
-outside the network, to access any Web site and even conduct malicious
-activities anonymously using the network resources.
+outside the network, to access any web site and even conduct malicious
+activities anonymously using the network's resources.
 
 What Proxy Server traffic looks like
 -------------------------------------
diff --git a/doc/mimestats/index.rst b/doc/mimestats/index.rst
index df17f4872f..dd2e039e8a 100644
--- a/doc/mimestats/index.rst
+++ b/doc/mimestats/index.rst
@@ -6,19 +6,19 @@ MIME Type Statistics
 ====================
 
 Files are constantly transmitted over HTTP on regular networks. These
-files belong to a specific category (i.e., executable, text, image,
-etc.) identified by a `Multipurpose Internet Mail Extension (MIME)
+files belong to a specific category (e.g., executable, text, image) 
+identified by a `Multipurpose Internet Mail Extension (MIME)
 <http://en.wikipedia.org/wiki/MIME>`_. Although MIME was originally
 developed to identify the type of non-text attachments on email, it is
-also used by Web browser to identify the type of files transmitted and
+also used by a web browser to identify the type of files transmitted and
 present them accordingly.
 
-In this tutorial, we will show how to use the Sumstats Framework to
-collect some statistics information based on MIME types, specifically
+In this tutorial, we will demonstrate how to use the Sumstats Framework 
+to collect statistical information based on MIME types; specifically,
 the total number of occurrences, size in bytes, and number of unique
-hosts transmitting files over HTTP per each type. For instructions about
-extracting and creating a local copy of these files, visit :ref:`this
-<http-monitor>` tutorial instead.
+hosts transmitting files over HTTP per each type. For instructions on
+extracting and creating a local copy of these files, visit :ref:`this 
+tutorial <http-monitor>`.
 
 ------------------------------------------------
 MIME Statistics with Sumstats
@@ -30,31 +30,31 @@ Observations, where the event is observed and fed into the framework.
 (ii) Reducers, where observations are collected and measured. (iii)
 Sumstats, where the main functionality is implemented.
 
-So, we start by defining our observation along with a record to store
-all statistics values and an observation interval. We are conducting our
-observation on the :bro:see:`HTTP::log_http` event and we are interested
-in the MIME type, size of the file ("response_body_len") and the
+We start by defining our observation along with a record to store
+all statistical values and an observation interval. We are conducting our
+observation on the :bro:see:`HTTP::log_http` event and are interested
+in the MIME type, size of the file ("response_body_len"), and the
 originator host ("orig_h"). We use the MIME type as our key and create
 observers for the other two values.
 
 .. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
     :lines: 6-29, 54-64
 
-Next, we create the reducers. The first one will accumulate file sizes
-and the second one will make sure we only store a host ID once. Below is
+Next, we create the reducers. The first will accumulate file sizes
+and the second will make sure we only store a host ID once. Below is
 the partial code from a :bro:see:`bro_init` handler.
 
 .. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
     :lines: 34-37
 
 In our final step, we create the SumStats where we check for the
-observation interval and once it expires, we populate the record
+observation interval.  Once it expires, we populate the record
 (defined above) with all the relevant data and write it to a log.
 
 .. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro
     :lines: 38-51
 
-Putting everything together we end up with the following final code for
+After putting the three pieces together we end up with the following final code for
 our script.
 
 .. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro

From c61dfb19630a163ca306be275638b546cac5d6ad Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 30 Jan 2014 17:21:01 -0600
Subject: [PATCH 022/220] Rewrite DNS state tracking which matches queries and
 replies.

The previous method of matching queries with replies was still
unreliable in cases where the reply contains no answers.  The new code
also takes extra measures to avoid pending state growing too large in
cases where the condition to match a query with a corresponding reply is
never met, but yet DNS messages continue to be exchanged over the same
connection 5-tuple (preventing cleanup of the pending state).
---
 scripts/base/protocols/dns/main.bro        | 248 +++++++++++++--------
 scripts/policy/protocols/dns/auth-addl.bro |  19 +-
 2 files changed, 166 insertions(+), 101 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 0651e23ada..21a0711159 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -63,15 +63,17 @@ export {
 		## The DNS query was rejected by the server.
 		rejected:      bool               &log &default=F;
 
-		## This value indicates if this request/response pair is ready
-		## to be logged.
-		ready:         bool            &default=F;
 		## The total number of resource records in a reply message's
 		## answer section.
 		total_answers: count           &optional;
 		## The total number of resource records in a reply message's
 		## answer, authority, and additional sections.
 		total_replies: count           &optional;
+
+		## Whether the full DNS query has been seen.
+		saw_query: bool                &default=F;
+		## Whether the full DNS reply has been seen.
+		saw_reply: bool                &default=F;
 	};
 
 	## An event that can be handled to access the :bro:type:`DNS::Info`
@@ -90,7 +92,7 @@ export {
 	## ans: The general information of a RR response.
 	##
 	## reply: The specific response information according to RR type/class.
-	global do_reply: event(c: connection, msg: dns_msg, ans: dns_answer, reply: string);
+	global do_reply: hook(c: connection, msg: dns_msg, ans: dns_answer, reply: string);
 
 	## A hook that is called whenever a session is being set.
 	## This can be used if additional initialization logic needs to happen
@@ -103,17 +105,42 @@ export {
 	## is_query: Indicator for if this is being called for a query or a response.
 	global set_session: hook(c: connection, msg: dns_msg, is_query: bool);
 
+	## Yields a queue of :bro:see:`DNS::Info` objects for a given
+	## DNS message query/transaction ID.
+	type PendingMessages: table[count] of Queue::Queue;
+
+	## Called when a pending DNS query has not been matched with a reply (or
+	## vice versa) in a sufficent amount of time.
+	##
+	## pending: table of pending messages, indexed by transaction ID.
+	##
+	## id: the index of he element being expired.
+	##
+	## Returns: amount of time to delay expiration of the element.
+	global expire_pending_msg: function(pending: PendingMessages, id: count): interval;
+
+	## The amount of time that DNS queries or replies for a given
+	## query/transaction ID are allowed to be queued while waiting for
+	## a matching reply or query.
+	const pending_msg_expiry_interval = 2min &redef;
+
+	## Give up trying to match pending DNS queries or replies for a given
+	## query/transaction ID once this number of unmatched queries or replies
+	## is reached (this shouldn't happen unless either the DNS server/resolver
+	## is broken, Bro is not seeing all the DNS traffic, or an AXFR query
+	## response is ongoing).
+	const max_pending_msgs = 50 &redef;
+
 	## A record type which tracks the status of DNS queries for a given
 	## :bro:type:`connection`.
 	type State: record {
 		## Indexed by query id, returns Info record corresponding to
-		## query/response which haven't completed yet.
-		pending: table[count] of Queue::Queue;
+		## queries that haven't been matched with a response yet.
+		pending_queries: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
 
-		## This is the list of DNS responses that have completed based
-		## on the number of responses declared and the number received.
-		## The contents of the set are transaction IDs.
-		finished_answers: set[count];
+		## Indexed by query id, returns Info record corresponding to
+		## replies that haven't been matched with a query yet.
+		pending_replies: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
 	};
 }
 
@@ -143,6 +170,51 @@ function new_session(c: connection, trans_id: count): Info
 	return info;
 	}
 
+function log_unmatched_msgs_queue(q: Queue::Queue)
+	{
+	local infos: vector of Info;
+	Queue::get_vector(q, infos);
+
+	for ( i in infos )
+		Log::write(DNS::LOG, infos[i]);
+	}
+
+function log_unmatched_msgs(msgs: PendingMessages)
+	{
+	for ( trans_id in msgs )
+		{
+		log_unmatched_msgs_queue(msgs[trans_id]);
+		delete msgs[trans_id];
+		}
+	}
+
+function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
+	{
+	if ( id !in msgs )
+		msgs[id] = Queue::init();
+	else if ( Queue::len(msgs[id]) > max_pending_msgs )
+		{
+		local info: Info = Queue::peek(msgs[id]);
+		event flow_weird("dns_unmatched_msg_quantity", info$id$orig_h,
+		                 info$id$resp_h);
+		log_unmatched_msgs_queue(msgs[id]);
+		# Throw away all unmatched on assumption they'll never be matched.
+		msgs[id] = Queue::init();
+		}
+
+	Queue::put(msgs[id], msg);
+	}
+
+function pop_msg(msgs: PendingMessages, id: count): Info
+	{
+	local rval: Info = Queue::get(msgs[id]);
+
+	if ( Queue::len(msgs[id]) == 0 )
+		delete msgs[id];
+
+	return rval;
+	}
+
 hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 	{
 	if ( ! c?$dns_state )
@@ -151,34 +223,39 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 		c$dns_state = state;
 		}
 
-	if ( msg$id !in c$dns_state$pending )
-		c$dns_state$pending[msg$id] = Queue::init();
-	
-	local info: Info;
-	# If this is either a query or this is the reply but
-	# no Info records are in the queue (we missed the query?)
-	# we need to create an Info record and put it in the queue.  
 	if ( is_query )
 		{
-		info = new_session(c, msg$id);
-		Queue::put(c$dns_state$pending[msg$id], info);
+		if ( msg$id in c$dns_state$pending_replies &&
+		     Queue::len(c$dns_state$pending_replies[msg$id]) > 0 )
+			{
+			# Match this DNS query w/ what's at head of pending reply queue.
+			c$dns = pop_msg(c$dns_state$pending_replies, msg$id);
+			}
+		else
+			{
+			# Create a new DNS session and put it in the query queue so
+			# we can wait for a matching reply.
+			c$dns = new_session(c, msg$id);
+			enqueue_new_msg(c$dns_state$pending_queries, msg$id, c$dns);
+			}
 		}
-	else if ( Queue::len(c$dns_state$pending[msg$id]) == 0 )
-		{
-		info = new_session(c, msg$id);
-		Queue::put(c$dns_state$pending[msg$id], info);
-		event conn_weird("dns_unmatched_reply", c, "");
-		}
-
-	if ( is_query )
-		# If this is a query, assign the newly created info variable
-		# so that the world looks correct to anything else handling
-		# this query.
-		c$dns = info;
 	else
-		# Peek at the next item in the queue for this trans_id and 
-		# assign it to c$dns since this is a response.
-		c$dns = Queue::peek(c$dns_state$pending[msg$id]);
+		{
+		if ( msg$id in c$dns_state$pending_queries &&
+		     Queue::len(c$dns_state$pending_queries[msg$id]) > 0 )
+			{
+			# Match this DNS reply w/ what's at head of pending query queue.
+			c$dns = pop_msg(c$dns_state$pending_queries, msg$id);
+			}
+		else
+			{
+			# Create a new DNS session and put it in the reply queue so
+			# we can wait for a matching query.
+			c$dns = new_session(c, msg$id);
+			event conn_weird("dns_unmatched_reply", c, "");
+			enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
+			}
+		}
 
 	if ( ! is_query )
 		{
@@ -188,19 +265,11 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 		if ( ! c$dns?$total_answers )
 			c$dns$total_answers = msg$num_answers;
 
-		if ( c$dns?$total_replies &&
-		     c$dns$total_replies != msg$num_answers + msg$num_addl + msg$num_auth )
-			{
-			event conn_weird("dns_changed_number_of_responses", c,
-			                      fmt("The declared number of responses changed from %d to %d",
-			                          c$dns$total_replies,
-			                          msg$num_answers + msg$num_addl + msg$num_auth));
-			}
-		else
-			{
-			# Store the total number of responses expected from the first reply.
+		if ( ! c$dns?$total_replies )
 			c$dns$total_replies = msg$num_answers + msg$num_addl + msg$num_auth;
-			}
+
+		if ( msg$rcode != 0 && msg$num_queries == 0 )
+			c$dns$rejected = T;
 		}
 	}
 
@@ -210,13 +279,10 @@ event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &prior
 		# Currently only standard queries are tracked.
 		return;
 
-	hook set_session(c, msg, is_orig);
-
-	if ( msg$QR && msg$rcode != 0 && msg$num_queries == 0 )
-		c$dns$rejected = T;
+	hook set_session(c, msg, ! msg$QR);
 	}
 
-event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
+hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
 	{
 	if ( msg$opcode != 0 )
 		# Currently only standard queries are tracked.
@@ -229,9 +295,6 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 
 	if ( ans$answer_type == DNS_ANS )
 		{
-		if ( ! c?$dns )
-			hook set_session(c, msg, F);
-
 		c$dns$AA    = msg$AA;
 		c$dns$RA    = msg$RA;
 
@@ -245,23 +308,25 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 				c$dns$TTLs = vector();
 			c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
 			}
-
-		if ( c$dns?$answers && c$dns?$total_answers &&
-		     |c$dns$answers| == c$dns$total_answers )
-			{
-			# Indicate this request/reply pair is ready to be logged.
-			c$dns$ready = T;
-			}
 		}
 	}
 
-event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=-5
+event dns_end(c: connection, msg: dns_msg) &priority=5
 	{
-	if ( c?$dns && c$dns$ready )
+	if ( ! c?$dns )
+		return;
+
+	if ( msg$QR )
+		c$dns$saw_reply = T;
+	else
+		c$dns$saw_query = T;
+	}
+
+event dns_end(c: connection, msg: dns_msg) &priority=-5
+	{
+	if ( c?$dns && c$dns$saw_reply && c$dns$saw_query )
 		{
 		Log::write(DNS::LOG, c$dns);
-		# This record is logged and no longer pending.
-		Queue::get(c$dns_state$pending[c$dns$trans_id]);
 		delete c$dns;
 		}
 	}
@@ -291,63 +356,63 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
 
 event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, fmt("<unknown type=%s>", ans$qtype));
+	hook DNS::do_reply(c, msg, ans, fmt("<unknown type=%s>", ans$qtype));
 	}
 
 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, fmt("%s", a));
+	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
 	}
 
 event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, str: string) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, str);
+	hook DNS::do_reply(c, msg, ans, str);
 	}
 
 event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, fmt("%s", a));
+	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
 	}
 
 event dns_A6_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, fmt("%s", a));
+	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
 	}
 
 event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, name);
+	hook DNS::do_reply(c, msg, ans, name);
 	}
 
 event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, name);
+	hook DNS::do_reply(c, msg, ans, name);
 	}
 
 event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string,
                    preference: count) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, name);
+	hook DNS::do_reply(c, msg, ans, name);
 	}
 
 event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, name);
+	hook DNS::do_reply(c, msg, ans, name);
 	}
 
 event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, soa$mname);
+	hook DNS::do_reply(c, msg, ans, soa$mname);
 	}
 
 event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, "");
+	hook DNS::do_reply(c, msg, ans, "");
 	}
 
 event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
 	{
-	event DNS::do_reply(c, msg, ans, "");
+	hook DNS::do_reply(c, msg, ans, "");
 	}
 
 # TODO: figure out how to handle these
@@ -377,16 +442,23 @@ event connection_state_remove(c: connection) &priority=-5
 	if ( ! c?$dns_state )
 		return;
 
-	# If Bro is expiring state, we should go ahead and log all unlogged
-	# request/response pairs now.
-	for ( trans_id in c$dns_state$pending )
-		{
-		local infos: vector of Info;
-		Queue::get_vector(c$dns_state$pending[trans_id], infos);
-		for ( i in infos )
-			{
-			Log::write(DNS::LOG, infos[i]);
-			}
-		}
+	# If Bro is expiring state, we should go ahead and log all unmatched
+	# queries and replies now.
+	log_unmatched_msgs(c$dns_state$pending_queries);
+	log_unmatched_msgs(c$dns_state$pending_replies);
 	}
 
+function expire_pending_msg(pending: PendingMessages, id: count): interval
+	{
+	local infos: vector of Info;
+	Queue::get_vector(pending[id], infos);
+
+	for ( i in infos )
+		{
+		Log::write(DNS::LOG, infos[i]);
+		event flow_weird("dns_unmatched_msg", infos[i]$id$orig_h,
+		                 infos[i]$id$resp_h);
+		}
+
+	return 0sec;
+	}
diff --git a/scripts/policy/protocols/dns/auth-addl.bro b/scripts/policy/protocols/dns/auth-addl.bro
index bc97d529cd..a04cca37ab 100644
--- a/scripts/policy/protocols/dns/auth-addl.bro
+++ b/scripts/policy/protocols/dns/auth-addl.bro
@@ -19,17 +19,17 @@ export {
 	};
 }
 
-event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=4
+hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) &priority=5
 	{
 	if ( msg$opcode != 0 )
 		# Currently only standard queries are tracked.
 		return;
 
-	# The "ready" flag will be set here.  This causes the setting from the 
-	# base script to be overridden since the base script will log immediately 
-	# after all of the ANS replies have been seen.
-	c$dns$ready=F;
-	
+	if ( ! msg$QR )
+		# This is weird: the inquirer must also be providing answers in
+		# the request, which is not what we want to track.
+		return;
+
 	if ( ans$answer_type == DNS_AUTH )
 		{
 		if ( ! c$dns?$auth )
@@ -42,11 +42,4 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 			c$dns$addl = set();
 		add c$dns$addl[reply];
 		}
-	
-	if ( c$dns?$answers && c$dns?$auth && c$dns?$addl &&
-	     c$dns$total_replies == |c$dns$answers| + |c$dns$auth| + |c$dns$addl| )
-		{
-		# *Now* all replies desired have been seen.
-		c$dns$ready = T;
-		}
 	}

From cdf09b4acef5c4c0e03d8170f6ac12bc514b582d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 31 Jan 2014 09:56:20 -0800
Subject: [PATCH 023/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 36b96eb9c1..23ff11bf0e 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 36b96eb9c13d1011bbc8be3581fd0f1c0bd8de44
+Subproject commit 23ff11bf0edbad2c6f1acbeb3f9a029ff4b61785

From 0cb2a90da4aa1de49e3881b9471e69f862d62038 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 31 Jan 2014 17:04:58 -0600
Subject: [PATCH 024/220] Add script to detect filtered TCP traces, addresses
 BIT-1119.

If reading a trace file w/ only TCP control packets, a warning is
emitted to suggest the 'detect_filtered_traces' option if the user
doesn't desire Bro to report missing TCP segments for such a trace file.
---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/misc/find-filtered-trace.bro     |  49 ++++++++++++++++++
 .../canonified_loaded_scripts.log             |   5 +-
 .../out1                                      |   1 +
 .../out2                                      |   0
 .../btest/Traces/http/bro.org-filtered.pcap   | Bin 0 -> 3934 bytes
 .../base/misc/find-filtered-trace.test        |   4 ++
 7 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 scripts/base/misc/find-filtered-trace.bro
 create mode 100644 testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
 create mode 100644 testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2
 create mode 100644 testing/btest/Traces/http/bro.org-filtered.pcap
 create mode 100644 testing/btest/scripts/base/misc/find-filtered-trace.test

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d0120d930b..d87574f4e5 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -60,3 +60,4 @@
 
 
 @load base/misc/find-checksum-offloading
+@load base/misc/find-filtered-trace
diff --git a/scripts/base/misc/find-filtered-trace.bro b/scripts/base/misc/find-filtered-trace.bro
new file mode 100644
index 0000000000..a723b656a7
--- /dev/null
+++ b/scripts/base/misc/find-filtered-trace.bro
@@ -0,0 +1,49 @@
+##! Discovers trace files that contain TCP traffic consisting only of
+##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
+##! packets and no content).  On finding such a trace, a warning is
+##! emitted that suggests toggling the :bro:see:`detect_filtered_trace`
+##! option may be desired if the user does not want Bro to report
+##! missing TCP segments.
+
+module FilteredTraceDetection;
+
+export {
+
+	## Flag to enable filtered trace file detection and warning message.
+	global enable: bool = T &redef;
+}
+
+global saw_tcp_conn_with_data: bool = F;
+global saw_a_tcp_conn: bool = F;
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! reading_traces() )
+		return;
+
+	if ( ! enable )
+		return;
+
+	if ( saw_tcp_conn_with_data )
+		return;
+
+	if ( ! is_tcp_port(c$id$orig_p) )
+		return;
+
+	saw_a_tcp_conn = T;
+
+	if ( /[Dd]/ in c$history )
+		saw_tcp_conn_with_data = T;
+	}
+
+event bro_done()
+	{
+	if ( ! enable )
+		return;
+
+	if ( ! saw_a_tcp_conn )
+		return;
+
+	if ( ! saw_tcp_conn_with_data )
+		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
+	}
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 90145d94fb..76b3f3a596 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-28
+#open	2014-01-31-22-54-38
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -220,5 +220,6 @@ scripts/base/init-default.bro
   scripts/base/files/unified2/__load__.bro
     scripts/base/files/unified2/main.bro
   scripts/base/misc/find-checksum-offloading.bro
+  scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-10-30-16-52-28
+#close	2014-01-31-22-54-38
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
new file mode 100644
index 0000000000..c2f791ba82
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out1
@@ -0,0 +1 @@
+1389719059.311687 warning in /Users/jsiwek/Projects/bro/bro/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.
diff --git a/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2 b/testing/btest/Baseline/scripts.base.misc.find-filtered-trace/out2
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Traces/http/bro.org-filtered.pcap b/testing/btest/Traces/http/bro.org-filtered.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b25905079eec524262b750a53c96cf96364a9f72
GIT binary patch
literal 3934
zcmaLae@vBC7zgn4z91k!#<*%KBwB%7`LR$EBWbd?G}Dpqzzy*-b89U_Cz?RTDsH%G
zh-q$2Oq)YV1*J?-DKVq50e`s65rYuatZ>-GG}=rgdcNoMo(^00-0d=W|M=YRdCqg5
zbNQjQ;gHGvne!SOW6YpGjE!Ac=id)y%jkE!vsN<Kd^3o}-I-Y!#1=D_9^=hm83DW2
z2QxFgWp8srcO0_^N81M>Rhwx+k&75J{U@CEH-m!N%%5M!bHmRs5c2+pFqTe#<1I|b
zCpj@^n2~%S5Gr(LcgI<u+Xm^k*1E>VhUW{Jev;K1Ark(7%IMulS(ztOx|!X%adaBe
zAmvEGxRh0Rj+Bt^P1earmO&0XB;`5GZa0?nJMx98zU5f@eBYH_`XuE1^HPpyc3sPf
zCPyxQXPmrG%{(|=C#MWRE}bCd1ZKCCeE*&!Kl8x1d|-x74p;}deyfy|m|fxe^>;^J
zJ>*-?U0`UsVHJIDM!^27N;f1~jq?oB@1h&B!-Y&gY0tX#Ry4Qz6)V9yooG-EN@1l%
zsuoMr=9<Z^KE;Z+&dfGwr@n+$azM3G_0}wIT~Vw#*4bGG_0v^Y9Z#v&t9t7(ZuKgb
z+iHq5sOzW03fbvcfmE;Ct^nV)cY6w9RaGb!)xP1Q3fEwa9Wgd`b0YQ^FIcWgTC0d#
zI~0p*ziC@bNoO0Zi6KG~)-=6U%&l_8qS_ZNscSju4{K4oYITv7N)PaM=8T+U?vy_>
za3+Ff=khbr*+$v6+Y!}$>ykvGXD92FrO!jjZ<Y!_vnTy2)eBG#(p*H1vZv^jfKn*+
zUa9a?G#EoQ-vebyB4fd%9J{9JOt**T1MS*Yr8;iw+!rr(7WfUII@=PQ>cDE(TkmqK
zOtIpulY9LJM=uq_y6}o>ZNF}4DjnU6)m6sI)nOJ>Cd#&g=ZY7rvwzYlG4)V(WlM$M
zJC}+n747{gZ|Du7JPh{Jb+(tUt5jJRow)lW?M7w=vheZDmxdbEh4^XKb!0sfg;mN#
z{3gh(Anze|?d1(3(e<nenyDZD9h90GQn8usZT@8oLg1!aQzFi-xKDrk8qaZ4A>Z`q
zK;LUk^px?nzOAg)wz}3Dq!(f$Bp-ApLKs<H^`<7}S5uMluTGgVhuO>1bNIc9l+mGT
z$|0|l5^~vPog5kq`DmMzS24TQb>kQW$Wf1vlW9$2{g5wr>g0|skZ-*y<y>ZOE}VVW
zk=-;+{`;mfG)}JX(#d6YkdrMbuV(gh)f@QvLgt8n?<TQl<K^YuI=QD2a_<5ud+0tr
zo;ugb{P(CPbH7d=NP~Rwl$7(By=WxpoFl(AzRp|m9DRm5C$I6>_1OoE<f<)7pXFFr
z(hcg5edx1CZi~!}!3r+YTIJk&L$Ov_eW?a@L@lgH`pSwu6V?j7wS!xm6)V^3Pd2Cr
z?!ijRQLU#-wYe&|wMns7TUX-^+Vw<OQFl};yIgDS<W_-V<yqHa4BCxmSmmZ_eWJHM
z<km*T@>tiS4eFVBu%`4mRyft(yD!A|KDs@haVtx)XkO$;d7E#Vn2ie?(Gz&V+WT>c
zW;TX*Wl&Gl#LI5uQ|+cn-lKLzX6+DtgP26h2>lo0`;P881Eu#xsfg1sk5)*D(t?I}
z3uXUdol<rJO7cpnh|`)#`^S|BhlMh%RXU2G+$xufm?rnAqqq_pB9v=2x-6k_P>%LU
zMNGR|>T#~zZxYJIPj$+`LMRtor6SI9Gj$PHUOOw4nifqTx;;INl&UyoztM*#_2GH!
zcQwCju;17z<6EuuBe!NN7W&YnK1_j?R0RhwSjl>;ms_!lg|lYTSxbVIa$HEl^60HA
o+=@{w%oCI5Ngb@Y->BAhy+vn<>h*+TVV;;YPyT?l*yULN0OWAI4*&oF

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/misc/find-filtered-trace.test b/testing/btest/scripts/base/misc/find-filtered-trace.test
new file mode 100644
index 0000000000..05b603ac92
--- /dev/null
+++ b/testing/btest/scripts/base/misc/find-filtered-trace.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap >out1 2>&1
+# @TEST-EXEC: bro -r $TRACES/http/bro.org-filtered.pcap "FilteredTraceDetection::enable=F" >out2 2>&1
+# @TEST-EXEC: TEST_DIFF_CANOIFIER=$SCRIPTS/diff-remove-abspath btest-diff out1
+# @TEST-EXEC: btest-diff out2

From ab4508486e2337ba9eccf123343f6133530d6813 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 3 Feb 2014 16:54:48 -0600
Subject: [PATCH 025/220] Minor unified2 script documentation fix.

---
 scripts/base/files/unified2/main.bro | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro
index 870f9335ae..2f6ae79f4f 100644
--- a/scripts/base/files/unified2/main.bro
+++ b/scripts/base/files/unified2/main.bro
@@ -7,10 +7,10 @@ module Unified2;
 export {
 	redef enum Log::ID += { LOG };
 
-	## Directory to watch for Unified2 files.
+	## File to watch for Unified2 files.
 	const watch_file = "" &redef;
 
-	## File to watch for Unified2 records.
+	## Directory to watch for Unified2 records.
 	const watch_dir = "" &redef;
 
 	## The sid-msg.map file you would like to use for your alerts.

From 4b63b3090165b59863356a9e4ee228c2f1ac5809 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 5 Feb 2014 10:01:51 -0800
Subject: [PATCH 026/220] Fix x509-extension test sometimes failing.

For some fields, the format apparently is not consistens over
OpenSSL versions. For the test, we simply skip those.
---
 .../scripts.base.protocols.ssl.x509_extensions/.stdout       | 2 --
 .../btest/scripts/base/protocols/ssl/x509_extensions.test    | 5 ++++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
index 3f9c8661bf..c33135d3f8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/.stdout
@@ -4,7 +4,6 @@
 [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J  CPS: https://secure.comodo.com/CPS^J]
-[name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl^J]
 [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt^JOCSP - URI:http://ocsp.comodoca.com^J]
 [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.taleo.net, DNS:taleo.net]
 [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A^J]
@@ -12,7 +11,6 @@
 [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: X509v3 Any Policy^J]
-[name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl^J]
 [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c^JCA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt^JOCSP - URI:http://ocsp.usertrust.com^J]
 [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A]
 [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
diff --git a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
index 4db3233b27..c5e0b1b407 100644
--- a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
+++ b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
@@ -3,5 +3,8 @@
 
 event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) 
 {
-	print extension;
+	# The formatting of CRL Distribution Points varies between OpenSSL versions. Skip it
+	# for the test.
+	if ( extension$short_name != "crlDistributionPoints" ) 
+		print extension;
 }

From d81bfed45da04d0e77496ea4487832d5aa1f95ba Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 17:52:41 -0800
Subject: [PATCH 027/220] Fixing memory leaks in input framework.

---
 CHANGES                                       |  7 +++
 VERSION                                       |  2 +-
 aux/btest                                     |  2 +-
 src/input/Manager.cc                          | 18 ++++--
 .../btest/core/leaks/input-with-remove.bro    | 63 +++++++++++++++++++
 5 files changed, 84 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/core/leaks/input-with-remove.bro

diff --git a/CHANGES b/CHANGES
index ce57bfc99e..345e945207 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.2-140 | 2014-02-06 17:58:04 -0800
+
+  * Fixing memory leaks in input framework. (Robin Sommer)
+
+  * Add script to detect filtered TCP traces. Addresses BIT-1119. (Jon
+    Siwek)
+
 2.2-137 | 2014-02-04 09:09:55 -0800
 
   * Minor unified2 script documentation fix. (Jon Siwek)
diff --git a/VERSION b/VERSION
index c869973493..8611c50ec0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-137
+2.2-140
diff --git a/aux/btest b/aux/btest
index 23ff11bf0e..808fd764b6 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 23ff11bf0edbad2c6f1acbeb3f9a029ff4b61785
+Subproject commit 808fd764b6f5198264177822db3f902f747c21cc
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 7af80892c6..95983faf26 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -397,7 +397,9 @@ bool Manager::CreateEventStream(RecordVal* fval)
 	string stream_name = name_val->AsString()->CheckString();
 	Unref(name_val);
 
-	RecordType *fields = fval->Lookup("fields", true)->AsType()->AsTypeType()->Type()->AsRecordType();
+	Val* fields_val = fval->Lookup("fields", true);
+	RecordType *fields = fields_val->AsType()->AsTypeType()->Type()->AsRecordType();
+	Unref(fields_val);
 
 	Val *want_record = fval->Lookup("want_record", true);
 
@@ -548,13 +550,17 @@ bool Manager::CreateTableStream(RecordVal* fval)
 
 	Val* pred = fval->Lookup("pred", true);
 
-	RecordType *idx = fval->Lookup("idx", true)->AsType()->AsTypeType()->Type()->AsRecordType();
+	Val* idx_val = fval->Lookup("idx", true);
+	RecordType *idx = idx_val->AsType()->AsTypeType()->Type()->AsRecordType();
+	Unref(idx_val);
+
 	RecordType *val = 0;
 
-	if ( fval->Lookup("val", true) != 0 )
+	Val* val_val = fval->Lookup("val", true);
+	if ( val_val )
 		{
-		val = fval->Lookup("val", true)->AsType()->AsTypeType()->Type()->AsRecordType();
-		Unref(val); // The lookupwithdefault in the if-clause ref'ed val.
+		val = val_val->AsType()->AsTypeType()->Type()->AsRecordType();
+		Unref(val_val);
 		}
 
 	TableVal *dst = fval->Lookup("destination", true)->AsTableVal();
@@ -729,7 +735,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	stream->pred = pred ? pred->AsFunc() : 0;
 	stream->num_idx_fields = idxfields;
 	stream->num_val_fields = valfields;
-	stream->tab = dst->AsTableVal();
+	stream->tab = dst->AsTableVal(); // ref'd by lookupwithdefault
 	stream->rtype = val ? val->AsRecordType() : 0;
 	stream->itype = idx->AsRecordType();
 	stream->event = event ? event_registry->Lookup(event->Name()) : 0;
diff --git a/testing/btest/core/leaks/input-with-remove.bro b/testing/btest/core/leaks/input-with-remove.bro
new file mode 100644
index 0000000000..62fcfa0a4e
--- /dev/null
+++ b/testing/btest/core/leaks/input-with-remove.bro
@@ -0,0 +1,63 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+
+@load base/frameworks/input
+
+redef exit_only_after_terminate = T;
+
+global c: count = 0;
+
+
+type OneLine: record {
+	s: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	print "1", "Line";
+	}
+
+event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
+	{
+	Input::remove(name);
+	print "2", name;
+	}
+
+function run(): count
+	{
+	Input::add_event([$name=unique_id(""),
+	                  $source=fmt("%s |", "date"),
+	                  $reader=Input::READER_RAW,
+	                  $mode=Input::STREAM,
+	                  $fields=OneLine,
+	                  $ev=line,
+	                  $want_record=F]);
+
+	return 1;
+	}
+
+
+event do()
+       {
+       run();
+    	}
+
+event do_term() {
+	terminate();
+}
+
+event bro_init() {
+	schedule 1sec { 
+	 do() 
+	};
+	schedule 3sec { 
+	 do_term() 
+	};
+}
+

From b64137761ee73ed10498645124575bf17f5630c9 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 18:20:46 -0800
Subject: [PATCH 028/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 808fd764b6..14d1f23fff 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 808fd764b6f5198264177822db3f902f747c21cc
+Subproject commit 14d1f23fffff5bcc19d305992dac78cbff83b7be

From a048082e688ef9ed3b3d0649dec2a79c1519847a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 20:23:34 -0800
Subject: [PATCH 029/220] Fixing bug in POP3 analyzer.

With certain input the analyzer could end up trying to write to
non-writable memory.
---
 CHANGES                            | 5 +++++
 VERSION                            | 2 +-
 src/analyzer/protocol/pop3/POP3.cc | 7 +++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 345e945207..801b7fcd10 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.2-142 | 2014-02-06 20:23:34 -0800
+
+  * Fixing bug in POP3 analyzer. With certain input the analyzer could
+    end up trying to write to non-writable memory. (Robin Sommer)
+
 2.2-140 | 2014-02-06 17:58:04 -0800
 
   * Fixing memory leaks in input framework. (Robin Sommer)
diff --git a/VERSION b/VERSION
index 8611c50ec0..56b1a615cd 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-140
+2.2-142
diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc
index 388a055ee2..1b6b4c53b6 100644
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@@ -192,14 +192,13 @@ void POP3_Analyzer::ProcessRequest(int length, const char* line)
 
 		case AUTH_CRAM_MD5:
 			{ // Format: "user<space>password-hash"
-			char* s;
-			char* str = (char*) decoded->CheckString();
+			const char* s;
+			const char* str = (char*) decoded->CheckString();
 
 			for ( s = str; *s && *s != '\t' && *s != ' '; ++s )
 				;
-			*s = '\0';
 
-			user = str;
+			user = std::string(str, s);
 			password = "";
 
 			break;

From c1f626d4ced9312ce132919daa1c92346252e687 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 20:31:02 -0800
Subject: [PATCH 030/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 437333e799..a3f9cc59af 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 437333e79964b5582f40ae213f69fa96ad590778
+Subproject commit a3f9cc59af51bf51a5a2d6e89b059059345a1d0f

From 71df27f9d54b848d606a3bd5ba3755ecf2beb97e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 20:31:18 -0800
Subject: [PATCH 031/220] Updating submodule(s).

 [nomail]
---
 CHANGES    | 2 +-
 VERSION    | 2 +-
 aux/broctl | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 801b7fcd10..16d1bb69f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.2-142 | 2014-02-06 20:23:34 -0800
+2.2-144 | 2014-02-06 20:31:18 -0800
 
   * Fixing bug in POP3 analyzer. With certain input the analyzer could
     end up trying to write to non-writable memory. (Robin Sommer)
diff --git a/VERSION b/VERSION
index 56b1a615cd..d92d849fbb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-142
+2.2-144
diff --git a/aux/broctl b/aux/broctl
index a3f9cc59af..66793ec3c6 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit a3f9cc59af51bf51a5a2d6e89b059059345a1d0f
+Subproject commit 66793ec3c602439e235bee705b654aefb7ac8dec

From 2bbf29681ea7151745fc06546e767bde95507bab Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 6 Feb 2014 21:07:46 -0800
Subject: [PATCH 032/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 14d1f23fff..9d23ca5b7c 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 14d1f23fffff5bcc19d305992dac78cbff83b7be
+Subproject commit 9d23ca5b7ced7fd5ec208d1a074bc40babde9a30

From f11373505deac2bd69ace4f71440c15e94671e13 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Feb 2014 10:44:31 -0800
Subject: [PATCH 033/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 9d23ca5b7c..73a736bddb 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 9d23ca5b7ced7fd5ec208d1a074bc40babde9a30
+Subproject commit 73a736bddb8931afc54bc52b567f639515b19f26

From 741ae7a368f4e58cde2d1db26695db92811224e3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Feb 2014 12:51:48 -0800
Subject: [PATCH 034/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 73a736bddb..9a7b36a44a 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 73a736bddb8931afc54bc52b567f639515b19f26
+Subproject commit 9a7b36a44a7abeaa1dc2754d3072ab08995c6af8

From adfe3a0754d936de1dbe702848b5bf36fe8c19ed Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 10 Feb 2014 23:56:23 -0800
Subject: [PATCH 035/220] add channel_id tls extension number.

This number is not IANA defined, but we see it being
actively used.
---
 scripts/base/protocols/ssl/consts.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 55289a7419..b81aebfbbb 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -86,6 +86,7 @@ export {
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
+		[30031] = "channel_id",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	

From 506b26e5ff137f61e087292c0b62453086f5fca9 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 11 Feb 2014 15:30:22 -0500
Subject: [PATCH 036/220] Expanding the HTTP methods used in the signature to
 detect HTTP traffic.

---
 scripts/base/protocols/http/dpd.sig | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/http/dpd.sig b/scripts/base/protocols/http/dpd.sig
index 13470f4e95..3e264f0bb3 100644
--- a/scripts/base/protocols/http/dpd.sig
+++ b/scripts/base/protocols/http/dpd.sig
@@ -1,6 +1,8 @@
+# List of HTTP headers pulled from:
+#   http://annevankesteren.nl/2007/10/http-methods
 signature dpd_http_client {
   ip-proto == tcp
-  payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/
+  payload /^[[:space:]]*(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH|BCOPY|BDELETE|BMOVE|BPROPFIND|BPROPPATCH|NOTIFY|POLL|SUBSCRIBE|UNSUBSCRIBE|X-MS-ENUMATTS|RPC_OUT_DATA|RPC_IN_DATA)[[:space:]]*/
   tcp-state originator
 }
 
@@ -11,3 +13,5 @@ signature dpd_http_server {
   requires-reverse-signature dpd_http_client
   enable "http"
 }
+
+

From 64d73d5a2b76e84b472ee361535f91f2b00a4802 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 11 Feb 2014 15:41:16 -0800
Subject: [PATCH 037/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 9a7b36a44a..acdf251b08 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 9a7b36a44a7abeaa1dc2754d3072ab08995c6af8
+Subproject commit acdf251b08980447b20c72ce0a5e6035665cbc22

From 39be3828fdb7632477cd8d4ccb0e060ca237e16f Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 11 Feb 2014 16:16:09 -0800
Subject: [PATCH 038/220] Baseline updates for DNS change.

I assume these are expected, and in any case it's DS that's being
tested not DNS. :)
---
 .../conn.ds.txt                                               | 4 ++--
 .../conn.ds.txt                                               | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
index 5a48439a9f..3bf8a78707 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
@@ -54,8 +54,8 @@
 # Extent, type='conn'
 ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
 1300475167096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 73 0 0 
-1300475167097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp  0 0 0 S0 F 0 D 1 199 0 0 
-1300475167099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp  0 0 0 S0 F 0 D 1 179 0 0 
+1300475167097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns 0 0 0 S0 F 0 D 1 199 0 0 
+1300475167099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp dns 0 0 0 S0 F 0 D 1 179 0 0 
 1300475168853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 udp dns 435 38 89 SF F 0 Dd 1 66 1 117 
 1300475168854378 C6pKV8GSxOnSLghOa 141.142.220.118 37676 141.142.2.2 53 udp dns 420 52 99 SF F 0 Dd 1 80 1 127 
 1300475168854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 udp dns 391 38 183 SF F 0 Dd 1 66 1 211 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
index 8f486c30e0..a82439c1e0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
@@ -54,8 +54,8 @@
 # Extent, type='conn'
 ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
 1300475167.096535 CXWv6p3arKYeMETxOg 141.142.220.202 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 73 0 0 
-1300475167.097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp  0.000000 0 0 S0 F 0 D 1 199 0 0 
-1300475167.099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp  0.000000 0 0 S0 F 0 D 1 179 0 0 
+1300475167.097012 CjhGID4nQcgTWjvg4c fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp dns 0.000000 0 0 S0 F 0 D 1 199 0 0 
+1300475167.099816 CCvvfg3TEfuqmmG4bh 141.142.220.50 5353 224.0.0.251 5353 udp dns 0.000000 0 0 S0 F 0 D 1 179 0 0 
 1300475168.853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 udp dns 0.000435 38 89 SF F 0 Dd 1 66 1 117 
 1300475168.854378 C6pKV8GSxOnSLghOa 141.142.220.118 37676 141.142.2.2 53 udp dns 0.000420 52 99 SF F 0 Dd 1 80 1 127 
 1300475168.854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 udp dns 0.000392 38 183 SF F 0 Dd 1 66 1 211 

From f45bd84f4ca65b235d17963dc97b4c152fd8ad57 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 11 Feb 2014 16:16:49 -0800
Subject: [PATCH 039/220] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index acdf251b08..c3a65f1306 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit acdf251b08980447b20c72ce0a5e6035665cbc22
+Subproject commit c3a65f13063291ffcfd6d05c09d7724c02e9a40d

From 6563b544d8b5e532006682acc3313c5989ce0fe5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 12 Feb 2014 17:00:12 -0600
Subject: [PATCH 040/220] Fix memory leak in modbus analyzer.

Would happen if there's a 'modbus_read_fifo_queue_response'
event handler.
---
 .../protocol/modbus/modbus-analyzer.pac       | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac
index a9c773b9e9..c2d009c961 100644
--- a/src/analyzer/protocol/modbus/modbus-analyzer.pac
+++ b/src/analyzer/protocol/modbus/modbus-analyzer.pac
@@ -10,6 +10,7 @@
 %header{
 	VectorVal* bytestring_to_coils(bytestring coils, uint quantity);
 	RecordVal* HeaderToBro(ModbusTCP_TransportHeader *header);
+	VectorVal* create_vector_of_count();
 	%}
 
 %code{
@@ -30,6 +31,14 @@
 		return modbus_header;
 		}
 
+	VectorVal* create_vector_of_count()
+		{
+		VectorType* vt = new VectorType(base_type(TYPE_COUNT));
+		VectorVal* vv = new VectorVal(vt);
+		Unref(vt);
+		return vv;
+		}
+
 	%}
 
 refine flow ModbusTCP_Flow += {
@@ -367,7 +376,7 @@ refine flow ModbusTCP_Flow += {
 		if ( ::modbus_read_file_record_request )
 			{
 			//TODO: this need to be a vector of some Reference Request record type
-			//VectorVal *t = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+			//VectorVal *t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
@@ -393,7 +402,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_read_file_record_response )
 			{
-			//VectorVal *t = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+			//VectorVal *t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < ${message.references}->size(); ++i )
 			//	{
 			//	//TODO: work the reference type in here somewhere
@@ -414,7 +423,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_file_record_request )
 			{
-			//VectorVal* t = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+			//VectorVal* t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
@@ -447,7 +456,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ::modbus_write_file_record_response )
 			{
-			//VectorVal* t = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+			//VectorVal* t = create_vector_of_count();
 			//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
@@ -589,7 +598,7 @@ refine flow ModbusTCP_Flow += {
 
 		if ( ::modbus_read_fifo_queue_response )
 			{
-			VectorVal* t = new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+			VectorVal* t = create_vector_of_count();
 			for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
 				{
 				Val* r = new Val(${message.register_data[i]}, TYPE_COUNT);

From e844727e7339a95054e05cdf8634d6fd47044e74 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 12 Feb 2014 17:03:51 -0600
Subject: [PATCH 041/220] Increase timeouts of some unit tests.

---
 testing/btest/core/leaks/basic-cluster.bro          | 2 +-
 testing/btest/core/leaks/dataseries.bro             | 2 +-
 testing/btest/core/leaks/file-analysis-http-get.bro | 2 +-
 testing/btest/core/leaks/hll_cluster.bro            | 2 +-
 testing/btest/core/leaks/input-reread.bro           | 2 +-
 testing/btest/core/leaks/test-all.bro               | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro
index 2c13c2315c..2d93469850 100644
--- a/testing/btest/core/leaks/basic-cluster.bro
+++ b/testing/btest/core/leaks/basic-cluster.bro
@@ -9,7 +9,7 @@
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 25
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
diff --git a/testing/btest/core/leaks/dataseries.bro b/testing/btest/core/leaks/dataseries.bro
index 61c9c030e9..fcb5782f4e 100644
--- a/testing/btest/core/leaks/dataseries.bro
+++ b/testing/btest/core/leaks/dataseries.bro
@@ -8,4 +8,4 @@
 #
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_DATASERIES
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 25
diff --git a/testing/btest/core/leaks/file-analysis-http-get.bro b/testing/btest/core/leaks/file-analysis-http-get.bro
index 8256f3e6da..aa4708305e 100644
--- a/testing/btest/core/leaks/file-analysis-http-get.bro
+++ b/testing/btest/core/leaks/file-analysis-http-get.bro
@@ -5,7 +5,7 @@
 # @TEST-GROUP: leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 25
 
 redef test_file_analysis_source = "HTTP";
 
diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro
index a6f704a677..a843452e00 100644
--- a/testing/btest/core/leaks/hll_cluster.bro
+++ b/testing/btest/core/leaks/hll_cluster.bro
@@ -10,7 +10,7 @@
 # @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro runnumber=1 %INPUT
 # @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro runnumber=2 %INPUT
-# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-bg-wait 25
 #
 # @TEST-EXEC: btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff worker-1/.stdout
diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro
index fa37f04ede..c6ff5361be 100644
--- a/testing/btest/core/leaks/input-reread.bro
+++ b/testing/btest/core/leaks/input-reread.bro
@@ -14,7 +14,7 @@
 # @TEST-EXEC: cp input4.log input.log
 # @TEST-EXEC: sleep 5
 # @TEST-EXEC: cp input5.log input.log
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @TEST-START-FILE input1.log
 #separator \x09
diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.bro
index acba16bd6d..7cdccb202a 100644
--- a/testing/btest/core/leaks/test-all.bro
+++ b/testing/btest/core/leaks/test-all.bro
@@ -5,4 +5,4 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace test-all-policy
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 25

From dd0856a57f386b12819b7ef54b141d2d706539d8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 12 Feb 2014 22:38:59 -0500
Subject: [PATCH 042/220] HTTP CONNECT proxy support.

 - The HTTP analyzer now supports handling HTTP CONNECT proxies
   same as the SOCKS analyzer handles proxying.
---
 scripts/base/protocols/http/main.bro          |  11 ++++++
 src/analyzer/protocol/http/HTTP.cc            |  35 ++++++++++++++++++
 src/analyzer/protocol/http/HTTP.h             |   4 ++
 src/types.bif                                 |   1 +
 .../conn.log                                  |  10 +++++
 .../http.log                                  |  10 +++++
 .../smtp.log                                  |  10 +++++
 .../tunnel.log                                |  10 +++++
 .../btest/Traces/http/connect-with-smtp.trace | Bin 0 -> 4191 bytes
 .../base/protocols/http/http-connect.bro      |  11 ++++++
 10 files changed, 102 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
 create mode 100644 testing/btest/Traces/http/connect-with-smtp.trace
 create mode 100644 testing/btest/scripts/base/protocols/http/http-connect.bro

diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index a164fcd6a6..27257be2d6 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -4,6 +4,7 @@
 
 @load base/utils/numbers
 @load base/utils/files
+@load base/frameworks/tunnels
 
 module HTTP;
 
@@ -217,6 +218,16 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		c$http$info_code = code;
 		c$http$info_msg = reason;
 		}
+	
+	if ( c$http?$method && c$http$method == "CONNECT" && code == 200 )
+		{
+		# Copy this conn_id and set the orig_p to zero because in the case of CONNECT proxies there will
+		# be potentially many source ports since a new proxy connection is established for each
+		# proxied connection.  We treat this as a singular "tunnel".
+		local tid = copy(c$id);
+		tid$orig_p = 0/tcp;
+		Tunnel::register([$cid=tid, $tunnel_type=Tunnel::HTTP]);
+		}
 	}
 
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f605dce402..93dbfbcb2e 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -889,6 +889,9 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
 	reply_code = 0;
 	reply_reason_phrase = 0;
 
+	connect_request = false;
+	pia = 0;
+
 	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
 
@@ -945,6 +948,14 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	if ( TCP() && TCP()->IsPartial() )
 		return;
 
+	if ( pia )
+		{
+		// There will be a PIA instance if this connection has been identified 
+		// as a connect proxy.
+		ForwardStream(len, data, is_orig);
+		return;
+		}
+
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;
 
@@ -1059,6 +1070,27 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						reply_message, is_orig,
 						ExpectReplyMessageBody(),
 						len);
+
+				if ( connect_request && reply_code == 200 )
+					{
+					pia = new pia::PIA_TCP(Conn());
+					if ( AddChildAnalyzer(pia) )
+						{
+						pia->FirstPacket(true, 0);
+						pia->FirstPacket(false, 0);
+
+						// This connection has transitioned to no longer
+						// being http and the content line support analyzers
+						// need to be removed.
+						RemoveSupportAnalyzer(content_line_orig);
+						RemoveSupportAnalyzer(content_line_resp);
+						}
+					else
+						{
+						pia = 0;
+						}
+					}
+
 				}
 			else
 				{
@@ -1404,6 +1436,9 @@ void HTTP_Analyzer::HTTP_Request()
 		// DEBUG_MSG("%.6f http_request\n", network_time);
 		ConnectionEvent(http_request, vl);
 		}
+
+	if ( strcasecmp_n(request_method->AsString()->Len(), (const char*) (request_method->AsString()->Bytes()), "CONNECT") == 0 )
+		connect_request = true;
 	}
 
 void HTTP_Analyzer::HTTP_Reply()
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index a1fedee41d..48a611b63b 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -5,6 +5,7 @@
 
 #include "analyzer/protocol/tcp/TCP.h"
 #include "analyzer/protocol/tcp/ContentLine.h"
+#include "analyzer/protocol/pia/PIA.h"
 #include "analyzer/protocol/zip/ZIP.h"
 #include "analyzer/protocol/mime/MIME.h"
 #include "binpac_bro.h"
@@ -237,6 +238,9 @@ protected:
 	int connection_close;
 	int request_ongoing, reply_ongoing;
 
+	bool connect_request;
+	pia::PIA_TCP *pia;
+
 	Val* request_method;
 
 	// request_URI is in the original form (may contain '%<hex><hex>'
diff --git a/src/types.bif b/src/types.bif
index 2931bf2d22..a44c3c1615 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -186,6 +186,7 @@ enum Type %{
 	TEREDO,
 	SOCKS,
 	GTPv1,
+	HTTP,
 %}
 
 type EncapsulatingConn: record;
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
new file mode 100644
index 0000000000..8b639edd93
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1078232251.833846	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	tcp	http,smtp	6.722274	1685	223	SF	-	0	ShADadfF	14	2257	16	944	(empty)
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
new file mode 100644
index 0000000000..4a2cf1ad17
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1078232252.284420	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	CONNECT	-	mailin03.sul.t-online.de:25 /	-	-	0	0	200	Connection established	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
new file mode 100644
index 0000000000..e11a7e9ac0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	smtp
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
+#types	time	string	addr	port	addr	port	count	string	string	table[string]	string	string	table[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
+1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	FVS9k93PUgScEUCOjd
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
new file mode 100644
index 0000000000..9e18e38e03
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2014-02-13-03-37-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1078232252.284420	-	79.26.245.236	0	254.228.86.79	8240	Tunnel::HTTP	Tunnel::DISCOVER
+#close	2014-02-13-03-37-02
diff --git a/testing/btest/Traces/http/connect-with-smtp.trace b/testing/btest/Traces/http/connect-with-smtp.trace
new file mode 100644
index 0000000000000000000000000000000000000000..dba5e69edc0c5c10ecf25db2bb50c46aa6b88ad7
GIT binary patch
literal 4191
zcmcgvU2Ggz6~4P(r^%8PDM-{nqMmJET<RUquDy;uP80vecGAr*@!}+;Njl!WyK}QM
zceZzCVmpwyZD^&YkqWAU`amnFct9$sKvNV_Btn2E9)d(FQHd%NtyHA&qf~^rR$6oJ
zthZ~=I+l20v{yU7-~G;azI)Ehwcq~y2VoK+^=)a1kPsfc^{tVCo?mVzL%1&o3H>c3
zE|G7u9<p;I86~89p*%q5HrVm(mu~(2llP~xu@tD=!hILy%}<8sm;U$;A>l~t_d_i$
zBovB-C1Uxl6^K4o4Y!8)&i(;%dc$))5>29l8cTig?1nEO>YGn~E`Is5c^~mY9r0I)
zXtamO4xCYrCXVe3Px%}_AK>^VqTZL=GQV{5Iw6PTlSE?uC>0_v<GvhCST8I*EwT7(
zYhty{FWq{dkm2mUeWSy9uykfJu68MoXDV*O=6FPvBGpo9=!EfnKG&I4)L1lQpJb+~
zL${(rd%?D<y33|b+7Fq@iBU)^YO)^=FkZB09N3qaCmxDLV^K-Ab-tw$cu>mrcYP_J
z845^w-?p%}HMb>xD0jb%QEn0|av(yE;JzHS6t752_PURC=F4khwZ#wZ?j@ui5~NfW
zhHcJi!DTiF>bUx}$sB_g>%@=zY*T}H&{gdV7k!ogvRY+rD`spbX6(;5XIEzInKw3(
zZy;wmnuuHP`NU6u93Z~a7XgW<ze7kWrQS7LkWXa&%)#hnCZ7XA3zVIp0!of!xz!?`
z(2H|QEc$EI@WBhM>rlDjQ#tYfq0%naQ~09~rNY*$0fkjm_zWui;>}`RVHwtQS2vM8
zD6Sk$YhuSow|uPU16VR!XL4=xFGdcdHAWxJqAhxrWM5L*-le3HHNn1eY;(g0O$Ppl
zFPIlJ@EOdViUuCdz99+8O|pFZ@y%ox?#t2SgXBMbEVnP<gBn&_e3V{8AEZ^tRxp>B
z5$^aBAx9BOj;5e<iwQsIU4fvbfafsivmcx$Br`biDD2*!&1gHgQ94dJ*N<`PSvuzf
z=3K#c6kP2)YqS0M`IdFa-}K2p5hQ;Og*cdNi*KWU2$28DWA_l0-5*WlGmDS;<O3B^
zJBZ}ZBl)NPbe53)!?`@<v)T^Vpq!NrcSd&$#=wd?w#<Ag99@U`zkTLB$oxDqKb32P
z1$rgGeDp@F;fP>mP!@&Hd}~1VQ^@=kWInt16d@yn`N3H9H<-d>-64`g7364g#L#V@
zTBSYUh*yvr`W8MMdySB;bT>Mp1F(V#7iO4iKv8#fw1~uS3Ad8H*eK-)svLS`@q3bM
z<-GvcGsyKKay|O&zffiBdV(i%x@%~#zgAj`8kB@>0WUGm+&QKGk7j}P`a%6)o;;jV
zdz7S#3k%oRk%wS<4hn{_xipwAij3<Dr_1bR&BD$iPIiErl7+e(l3iL_)w;VOp>9{P
z9|dU0Hl{G!sTx#JAE>?g)ZtXJM@jc8ecP3;t{MgZCY;xq<AuijbS(lYEuGf7J|!Tf
zeS70Q4I4BShDAShMzAnk+!pSCDYxbRceA+qYMaD*I`SFvSA4sXBbcVhwZ&h^G#RPY
zY3hHeo~D=Q3E7SL&|q?I8XGl*tm9H4S23)=uJg7AcU?WP=%hD&96O{2;|$x0gB>1<
zjN&L%D2Fj7Oa}~VSspK&wu846v4X&Hswhwv1rGrzFH-Tp^U5%bCZ?!xusLhszk^`6
zb}4rg`MD}Z(sb7CteQIG{pciJIMjXQ0p{3=-rjUyBKbfpI-<LHU*4k~kb;aZ8cy1-
zb@#!;YEnAsU?PL&krXqmAZ*7jxsdf-)3z%x<T0}dNmWsmR8O);z8K_69%@j!BcQfd
z^#p}6%1nbYHxBZaDMn4$ZBphGj1CZtI;>0~&s<~={?in9;dcVBQ%HazrPaL>7_M8@
zIy+}(W)xpwms0NF%a~$0Fik7AWjQX4cnDcATvo=($~ZBFLC<mIDTJ3W!34!IG8dR3
z@cIelhJSk*W~-J?2h+(o<S~o-r-494_bfQ+!JTO;TtQ1Ed?*%`<fkdKV3N+_R0YGw
zgR;b|V348%bTkCoPWqs-tOrI%8Mky3Eac(X@(9lzz~|j*;aL_EuwV#9ff*ekX3)U+
zJ_co7=-fqdT;MW1u&5yr!*M8AU_=@X$;fc=1hQLpqh1q<+eojj)Qs+6G!_i<k}e<j
z(|}VHby2DXg5)_8$BD6tNKcngVPtvI6ELaEM3pHv83pH=kkJX4vSk8wZ&hmW48BbI
zI2a^{3fe&ak5Rm0>4gfM!0Sb7VVF402*xGV_c*Q{YRQZW`#RpAp%yBSKPvB_0)=s@
zD`$^I2TjzFvso010_IU$*EohQtE#A&63C&mb70w~DIMwSrN~X9j$wGra#^+NyBjlH
z!S$wB(5W)*lW1>rV^!SYWva;sR=5?HU$I~difu=JJfL6Y4OYpJ%SqQ~D;6u6Me7M(
zC{<(8<;E0$bwv|xs-AcJ>RDQ&dJc@>Yt`j(Y)p;nx#@>7lEFhcnwsdYk9{oqaG;4|
zB}S~a_~mnzT7S<_$I($3y-=W4mll!e6)er8>2RaWH+TE%vNW5ouP)64BUqZRVh0@?
zeu0p$er+PZjCEzb518<z{H}aF_yKbjiS9w7mlCZ=G?l#jcR&H{z<7C?__M!{G>A7T
z9PuYR8dUf{{$%&YFOC1SrY|8<gb&2V23Amn_Qg+p5xyG`VGoLM8(-Do#sndgKAgll
s_|0{(mVB)9YhvAtSmUd(POrdfigBYK<JW^R-o_aBqKht#zg~~=zf6bawg3PC

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/http-connect.bro b/testing/btest/scripts/base/protocols/http/http-connect.bro
new file mode 100644
index 0000000000..d8157e2c49
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-connect.bro
@@ -0,0 +1,11 @@
+# This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
+#
+# @TEST-EXEC: bro -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff smtp.log
+# @TEST-EXEC: btest-diff tunnel.log
+
+# The base analysis scripts are loaded by default.
+#@load base/protocols/http
+

From eb744fd329a2147f94b0cd5d8b2e677fbdaa286a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 13 Feb 2014 12:45:51 -0800
Subject: [PATCH 043/220] Revert "Expanding the HTTP methods used in the
 signature to detect HTTP traffic."

This reverts commit 506b26e5ff137f61e087292c0b62453086f5fca9.

The corresponding patch adding HTTP CONNECT support doesn't work yet
so backing this out until we get that in shape.
---
 scripts/base/protocols/http/dpd.sig | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/scripts/base/protocols/http/dpd.sig b/scripts/base/protocols/http/dpd.sig
index 3e264f0bb3..13470f4e95 100644
--- a/scripts/base/protocols/http/dpd.sig
+++ b/scripts/base/protocols/http/dpd.sig
@@ -1,8 +1,6 @@
-# List of HTTP headers pulled from:
-#   http://annevankesteren.nl/2007/10/http-methods
 signature dpd_http_client {
   ip-proto == tcp
-  payload /^[[:space:]]*(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH|BCOPY|BDELETE|BMOVE|BPROPFIND|BPROPPATCH|NOTIFY|POLL|SUBSCRIBE|UNSUBSCRIBE|X-MS-ENUMATTS|RPC_OUT_DATA|RPC_IN_DATA)[[:space:]]*/
+  payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/
   tcp-state originator
 }
 
@@ -13,5 +11,3 @@ signature dpd_http_server {
   requires-reverse-signature dpd_http_client
   enable "http"
 }
-
-

From 3c95d1d695ed80d7796b680fd31fa8f3afaf8ad3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 13 Feb 2014 14:55:45 -0600
Subject: [PATCH 044/220] Refactor DNS script's state management to improve
 performance.

The amount of timers involved in DNS::PendingMessage tables'
expiration attributes have a significant performance hit.  Instead the
script now relies solely on maximum thresholds for pending message
quantities to limit amount of accumulated state.  There's a new option,
"DNS::max_pending_query_ids", to limit the number outstanding messages
across all DNS query IDs ("DNS::max_pending_msgs" still limits number
of outstanding messages for a *given* query ID).
---
 scripts/base/protocols/dns/main.bro           | 64 +++++++++----------
 .../weird.log                                 |  5 +-
 2 files changed, 33 insertions(+), 36 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 21a0711159..294220d1f2 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -109,16 +109,6 @@ export {
 	## DNS message query/transaction ID.
 	type PendingMessages: table[count] of Queue::Queue;
 
-	## Called when a pending DNS query has not been matched with a reply (or
-	## vice versa) in a sufficent amount of time.
-	##
-	## pending: table of pending messages, indexed by transaction ID.
-	##
-	## id: the index of he element being expired.
-	##
-	## Returns: amount of time to delay expiration of the element.
-	global expire_pending_msg: function(pending: PendingMessages, id: count): interval;
-
 	## The amount of time that DNS queries or replies for a given
 	## query/transaction ID are allowed to be queued while waiting for
 	## a matching reply or query.
@@ -131,16 +121,21 @@ export {
 	## response is ongoing).
 	const max_pending_msgs = 50 &redef;
 
+	## Give up trying to match pending DNS queries or replies across all
+	## query/transaction IDs once there is at least one unmatched query or
+	## reply across this number of different query IDs.
+	const max_pending_query_ids = 50 &redef;
+
 	## A record type which tracks the status of DNS queries for a given
 	## :bro:type:`connection`.
 	type State: record {
 		## Indexed by query id, returns Info record corresponding to
 		## queries that haven't been matched with a response yet.
-		pending_queries: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
+		pending_queries: PendingMessages;
 
 		## Indexed by query id, returns Info record corresponding to
 		## replies that haven't been matched with a query yet.
-		pending_replies: PendingMessages &read_expire=pending_msg_expiry_interval &expire_func=expire_pending_msg;
+		pending_replies: PendingMessages;
 	};
 }
 
@@ -176,7 +171,11 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 	Queue::get_vector(q, infos);
 
 	for ( i in infos )
+		{
+		event flow_weird("dns_unmatched_msg",
+		                 infos[i]$id$orig_h, infos[i]$id$resp_h);
 		Log::write(DNS::LOG, infos[i]);
+		}
 	}
 
 function log_unmatched_msgs(msgs: PendingMessages)
@@ -191,16 +190,28 @@ function log_unmatched_msgs(msgs: PendingMessages)
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
 	if ( id !in msgs )
-		msgs[id] = Queue::init();
-	else if ( Queue::len(msgs[id]) > max_pending_msgs )
 		{
-		local info: Info = Queue::peek(msgs[id]);
-		event flow_weird("dns_unmatched_msg_quantity", info$id$orig_h,
-		                 info$id$resp_h);
-		log_unmatched_msgs_queue(msgs[id]);
-		# Throw away all unmatched on assumption they'll never be matched.
+		if ( |msgs| > max_pending_query_ids )
+			{
+			event flow_weird("dns_unmatched_query_id_quantity",
+			                 msg$id$orig_h, msg$id$resp_h);
+			# Throw away all unmatched on assumption they'll never be matched.
+			log_unmatched_msgs(msgs);
+			}
+
 		msgs[id] = Queue::init();
 		}
+	else
+		{
+		if ( Queue::len(msgs[id]) > max_pending_msgs )
+			{
+			event flow_weird("dns_unmatched_msg_quantity",
+			                 msg$id$orig_h, msg$id$resp_h);
+			log_unmatched_msgs_queue(msgs[id]);
+			# Throw away all unmatched on assumption they'll never be matched.
+			msgs[id] = Queue::init();
+			}
+		}
 
 	Queue::put(msgs[id], msg);
 	}
@@ -447,18 +458,3 @@ event connection_state_remove(c: connection) &priority=-5
 	log_unmatched_msgs(c$dns_state$pending_queries);
 	log_unmatched_msgs(c$dns_state$pending_replies);
 	}
-
-function expire_pending_msg(pending: PendingMessages, id: count): interval
-	{
-	local infos: vector of Info;
-	Queue::get_vector(pending[id], infos);
-
-	for ( i in infos )
-		{
-		Log::write(DNS::LOG, infos[i]);
-		event flow_weird("dns_unmatched_msg", infos[i]$id$orig_h,
-		                 infos[i]$id$resp_h);
-		}
-
-	return 0sec;
-	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
index 175a474425..295de4ec2c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
@@ -3,9 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-36-33
+#open	2014-02-13-20-36-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1363716396.798286	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	-	F	bro
 1363716396.798374	CXWv6p3arKYeMETxOg	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_reply	-	F	bro
-#close	2013-08-26-19-36-33
+1363716396.798374	-	-	-	-	-	dns_unmatched_msg	-	F	bro
+#close	2014-02-13-20-36-35

From ba81aa438766d34e59752ae6c3dccf52a9f1353c Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 14 Feb 2014 12:06:24 -0800
Subject: [PATCH 045/220] Support for MPLS over VLAN.

Patch by Chris Kanich.

BIT-1017 #merged
---
 CHANGES                                       |   4 ++++
 VERSION                                       |   2 +-
 src/PktSrc.cc                                 |  22 ++++++++++++------
 .../btest/Baseline/core.mpls-in-vlan/conn.log |  12 ++++++++++
 testing/btest/Traces/mpls-in-vlan.trace       | Bin 0 -> 2605 bytes
 testing/btest/core/mpls-in-vlan.bro           |   2 ++
 6 files changed, 34 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/core.mpls-in-vlan/conn.log
 create mode 100644 testing/btest/Traces/mpls-in-vlan.trace
 create mode 100644 testing/btest/core/mpls-in-vlan.bro

diff --git a/CHANGES b/CHANGES
index f00e43a271..ba9102aeeb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-174 | 2014-02-14 12:07:04 -0800
+
+  * Support for MPLS over VLAN. (Chris Kanich)
+
 2.2-173 | 2014-02-14 10:50:15 -0800
 
   * Fix misidentification of SOCKS traffic that in particiular seemed
diff --git a/VERSION b/VERSION
index 60dee2b058..5b847786b5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-173
+2.2-174
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 941c4acd83..179630cdbd 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -229,12 +229,21 @@ void PktSrc::Process()
 			{
 			// MPLS carried over the ethernet frame.
 			case 0x8847:
+				// Remove the data link layer and denote a
+				// header size of zero before the IP header.
 				have_mpls = true;
+				data += get_link_header_size(datalink);
+				pkt_hdr_size = 0;
 				break;
 
 			// VLAN carried over the ethernet frame.
 			case 0x8100:
 				data += get_link_header_size(datalink);
+
+				// Check for MPLS in VLAN.
+				if ( ((data[2] << 8) + data[3]) == 0x8847 )
+					have_mpls = true;
+
 				data += 4; // Skip the vlan header
 				pkt_hdr_size = 0;
 
@@ -274,8 +283,13 @@ void PktSrc::Process()
 		protocol = (data[2] << 8) + data[3];
 
 		if ( protocol == 0x0281 )
-			// MPLS Unicast
+			{
+			// MPLS Unicast. Remove the data link layer and
+			// denote a header size of zero before the IP header.
 			have_mpls = true;
+			data += get_link_header_size(datalink);
+			pkt_hdr_size = 0;
+			}
 
 		else if ( protocol != 0x0021 && protocol != 0x0057 )
 			{
@@ -290,12 +304,6 @@ void PktSrc::Process()
 
 	if ( have_mpls )
 		{
-		// Remove the data link layer
-		data += get_link_header_size(datalink);
-
-		// Denote a header size of zero before the IP header
-		pkt_hdr_size = 0;
-
 		// Skip the MPLS label stack.
 		bool end_of_stack = false;
 
diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
new file mode 100644
index 0000000000..e8ee793b75
--- /dev/null
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-02-14-20-04-20
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1371685686.536606	CXWv6p3arKYeMETxOg	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	257	0	0	(empty)
+1371686961.156859	CjhGID4nQcgTWjvg4c	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	d	0	0	1	1500	(empty)
+1371686961.479321	CCvvfg3TEfuqmmG4bh	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	710	0	0	(empty)
+#close	2014-02-14-20-04-20
diff --git a/testing/btest/Traces/mpls-in-vlan.trace b/testing/btest/Traces/mpls-in-vlan.trace
new file mode 100644
index 0000000000000000000000000000000000000000..634f3fce1469f61f436ed1b79c5b1c42f8c29289
GIT binary patch
literal 2605
zcmc&$O>7%Q6rKc{rYlxd;*t}LWDX_rdhM86Wl5!&#EGR8$t5We327Pcj@LuRGt2Bc
zPFf)h5>ig|g2V+ODpi~~fdq$~T7E9v5Jyy1LeN{0IKY)RyIv=@TnSf2j5IrXGjHC!
z@0<7L?a$wSd1Dqmj<R+xhtLcNmDSsqpDxa$r$Eph&Hq}hR@3i$=!tjdQ4P(^xG%4u
z<+=XXu#~jTJZilE`CIgF^WMk(1@znZ3arh{8|bU^OCSE&o872wV>?s+w<E4^Z#V2x
zp=27PTO2$pXOd~uWfYICn#QUWf_gEN!oi!AhE|ocJ!%?PBC4!vK*ji$%-)32G)$vZ
zzkT`0pGAM3LP;N`2%*D`$L`<A*U+h7UI<rEajvnJ8A6Tz^1>T8KmDxu-Sz%iRH=NB
z(qv!%;^>*P;@M1ZiqSOAG>NwxDA^Uh#X2OQj*x=BIJ)3TE|rs8UtiY?1F2N2ER`?7
z#5<;ui)ARt-X$h>@ikCsaY=v|#e#OMx4^Q4mx|%O7Lr+~bUu|r8L@<2(u^eU#`<iq
zND6{d-)&PKCKhA5A6u~^B5Fz1aj-{178A~{CcdUF;mpHC*{7aVB)zx{Q%HQDiNL|&
z%CKjC9W&wJuHxtHn07)=Vj9^}dBlynO<#5x5q3gUWNYUNp$MMCLRyN3l*E|RR*V6z
z2HK_?zf-EDNPQN8xdW%krMH`+%(W@;sd`P3Fr*3(M0}D?;<V)+tX<PIY7$Q1f=i={
zv-G}zG<(q+Z>w8dxVpAhTf;By;Ogd9y}C25lE{lT++v6M5biO=^w6W@DV%E(NCo94
z_vd=4qIOIB2RGhx+RXQ<(9k<X1x#2?8OO5Yl%G!+(18N>d`{iA>`*r*O-=!<9^8bu
zLPz>tPSb__1Z92PApXkbGMqG}&30K^Xi5ddW!~Wu1Ovn#^Kou9X<!#a8wG*WfYl3G
zxD8W4Pqu&%D}sQ8NC%4p8^ef$-M9#o=_MXVa#!EHN1{R8Pr&>@g1Q{%@q`U9uTc)%
z*Tg!dH20=t3k-4gz%w}0r(^(^G(N1qS!Qz<0U_}Lr&fFr0xek<PMv6J#1W-r&+YPw
zDF-=*f!!$qrf-YRAZw7UgU4X9olpZF(M|(9BO!~ZG*ZCE#HUzSfStx^baxgdeY66Y
z8;2X{$-B#FuC!c3vp>B4*9y8g_f0-C^~V|1_~h2_d+zDNPyGe&@YY9zVtMn;JN2Vi
z7apouX2$==@kG5&>u|4Ep!)<~U|NtW7%jxRx)8(b|FDJlQR9T0_B<Lw$y>A+P2&~X
zqKc}qe~CwZ=znZ4!(`QjC)27KTxDV2r!8F+^O5hhhdP&t2)g?30aIaJ*~&u|c>7|p
Ja6$j^`~zPp1hfDE

literal 0
HcmV?d00001

diff --git a/testing/btest/core/mpls-in-vlan.bro b/testing/btest/core/mpls-in-vlan.bro
new file mode 100644
index 0000000000..f57c1862ce
--- /dev/null
+++ b/testing/btest/core/mpls-in-vlan.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/mpls-in-vlan.trace
+# @TEST-EXEC: btest-diff conn.log

From b712d6436cfbfe48c0afcb0a2fd30bfd07a4687b Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 18 Feb 2014 02:54:03 -0800
Subject: [PATCH 046/220] update 3rdparty submodule (new SQLite version)

---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 42a4c9694a..92674c5745 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 42a4c9694a2b2677b050fbb7cbae26bc5ec4605a
+Subproject commit 92674c57455cb71de5a2be6f482570e10be46aa6

From a0c06a957bf3c7fd60748f7b5074bff8cbd86868 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 18 Feb 2014 14:41:32 -0600
Subject: [PATCH 047/220] Add SNMP datagram parsing support.

This supports parsing of SNMPv1 (RFC 1157), SNMPv2 (RFC 1901/3416), and
SNMPv2 (RFC 3412).  An event is raised for each SNMP PDU type, though
there's not currently any event handlers for them and not a default
snmp.log either.  However, simple presence of SNMP is currently visible
now in conn.log service field and known_services.log.
---
 scripts/base/init-bare.bro                    | 124 ++++
 scripts/base/init-default.bro                 |   1 +
 scripts/base/protocols/snmp/README            |   1 +
 scripts/base/protocols/snmp/__load__.bro      |   1 +
 scripts/base/protocols/snmp/main.bro          |  15 +
 src/analyzer/protocol/CMakeLists.txt          |   1 +
 src/analyzer/protocol/snmp/CMakeLists.txt     |  11 +
 src/analyzer/protocol/snmp/Plugin.cc          |   9 +
 src/analyzer/protocol/snmp/SNMP.cc            |  38 ++
 src/analyzer/protocol/snmp/SNMP.h             |  29 +
 src/analyzer/protocol/snmp/events.bif         | 166 +++++
 src/analyzer/protocol/snmp/snmp-analyzer.pac  | 590 +++++++++++++++++
 src/analyzer/protocol/snmp/snmp-protocol.pac  | 272 ++++++++
 src/analyzer/protocol/snmp/snmp.pac           |  25 +
 src/analyzer/protocol/snmp/types.bif          |  18 +
 .../Baseline/core.print-bpf-filters/output2   |  10 +-
 .../canonified_loaded_scripts.log             |   6 +-
 .../canonified_loaded_scripts.log             |   8 +-
 .../scripts.base.protocols.snmp.v1/out1       | 598 ++++++++++++++++++
 .../scripts.base.protocols.snmp.v1/out2       |  26 +
 .../scripts.base.protocols.snmp.v1/out3       |  18 +
 .../scripts.base.protocols.snmp.v1/out4       |  11 +
 .../scripts.base.protocols.snmp.v2/out1       |  18 +
 .../scripts.base.protocols.snmp.v2/out2       |  18 +
 .../scripts.base.protocols.snmp.v2/out3       |  72 +++
 .../scripts.base.protocols.snmp.v3/out1       |  34 +
 testing/btest/Traces/snmp/snmpv1_get.pcap     | Bin 0 -> 7165 bytes
 .../btest/Traces/snmp/snmpv1_get_short.pcap   | Bin 0 -> 299 bytes
 testing/btest/Traces/snmp/snmpv1_set.pcap     | Bin 0 -> 219 bytes
 testing/btest/Traces/snmp/snmpv1_trap.pcap    | Bin 0 -> 143 bytes
 testing/btest/Traces/snmp/snmpv2_get.pcap     | Bin 0 -> 233 bytes
 .../btest/Traces/snmp/snmpv2_get_bulk.pcap    | Bin 0 -> 214 bytes
 .../btest/Traces/snmp/snmpv2_get_next.pcap    | Bin 0 -> 894 bytes
 .../btest/Traces/snmp/snmpv3_get_next.pcap    | Bin 0 -> 661 bytes
 .../btest/scripts/base/protocols/snmp/v1.bro  |  11 +
 .../btest/scripts/base/protocols/snmp/v2.bro  |   9 +
 .../btest/scripts/base/protocols/snmp/v3.bro  |   5 +
 testing/scripts/snmp-test.bro                 | 208 ++++++
 38 files changed, 2345 insertions(+), 8 deletions(-)
 create mode 100644 scripts/base/protocols/snmp/README
 create mode 100644 scripts/base/protocols/snmp/__load__.bro
 create mode 100644 scripts/base/protocols/snmp/main.bro
 create mode 100644 src/analyzer/protocol/snmp/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/snmp/Plugin.cc
 create mode 100644 src/analyzer/protocol/snmp/SNMP.cc
 create mode 100644 src/analyzer/protocol/snmp/SNMP.h
 create mode 100644 src/analyzer/protocol/snmp/events.bif
 create mode 100644 src/analyzer/protocol/snmp/snmp-analyzer.pac
 create mode 100644 src/analyzer/protocol/snmp/snmp-protocol.pac
 create mode 100644 src/analyzer/protocol/snmp/snmp.pac
 create mode 100644 src/analyzer/protocol/snmp/types.bif
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v1/out1
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v1/out2
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v1/out3
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v1/out4
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v2/out1
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v2/out2
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v2/out3
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.snmp.v3/out1
 create mode 100644 testing/btest/Traces/snmp/snmpv1_get.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv1_get_short.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv1_set.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv1_trap.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv2_get.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv2_get_bulk.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv2_get_next.pcap
 create mode 100644 testing/btest/Traces/snmp/snmpv3_get_next.pcap
 create mode 100644 testing/btest/scripts/base/protocols/snmp/v1.bro
 create mode 100644 testing/btest/scripts/base/protocols/snmp/v2.bro
 create mode 100644 testing/btest/scripts/base/protocols/snmp/v3.bro
 create mode 100644 testing/scripts/snmp-test.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d4e631ecf4..7e3840df0a 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2775,6 +2775,130 @@ export {
 }
 module GLOBAL;
 
+@load base/bif/plugins/Bro_SNMP.types.bif
+
+module SNMP;
+export {
+
+	## The top-level message data structure of an SNMPv1 datagram, not
+	## including the PDU data.  See :rfc:`1157`.
+	type SNMP::HeaderV1: record {
+		community: string;
+	};
+
+	## The top-level message data structure of an SNMPv2 datagram, not
+	## including the PDU data.  See :rfc:`1901`.
+	type SNMP::HeaderV2: record {
+		community: string;
+	};
+
+	## The ``ScopedPduData`` data structure of an SNMPv3 datagram, not
+	## including the PDU data (i.e. just the "context" fields).
+	## See :rfc:`3412`.
+	type SNMP::ScopedPDU_Context: record {
+		engine_id: string;
+		name:      string;
+	};
+
+	## The top-level message data structure of an SNMPv3 datagram, not
+	## including the PDU data.  See :rfc:`3412`.
+	type SNMP::HeaderV3: record {
+		id:              count;
+		max_size:        count;
+		flags:           count;
+		auth_flag:       bool;
+		priv_flag:       bool;
+		reportable_flag: bool;
+		security_model:  count;
+		security_params: string;
+		pdu_context:     SNMP::ScopedPDU_Context &optional;
+	};
+
+	## A generic SNMP header data structure that may include data from
+	## any version of SNMP.  The value of the ``version`` field
+	## determines what header field is initialized.
+	type SNMP::Header: record {
+		version: count;
+		v1:      SNMP::HeaderV1 &optional; ##< Set when ``version`` is 0.
+		v2:      SNMP::HeaderV2 &optional; ##< Set when ``version`` is 1.
+		v3:      SNMP::HeaderV3 &optional; ##< Set when ``version`` is 3.
+	};
+
+	## A generic SNMP object value, that may include any of the
+	## valid ``ObjectSyntax`` values from :rfc:`1155` or :rfc:`3416`.
+	## The value is decoded whenever possible and assigned to
+	## the appropriate field, which can be determined from the value
+	## of the ``tag`` field.  For tags that can't be mapped to an
+	## appropriate type, the ``octets`` field holds the BER encoded
+	## ASN.1 content if there is any (though, ``octets`` is may also
+	## be used for other tags such as OCTET STRINGS or Opaque).  Null
+	## values will only have their corresponding tag value set.
+	type SNMP::ObjectValue: record {
+		tag:      count;
+		oid:      string &optional;
+		signed:   int    &optional;
+		unsigned: count  &optional;
+		address:  addr   &optional;
+		octets:   string &optional;
+	};
+
+	# These aren't an enum because it's easier to type fields as count.
+	# That way don't have to deal with type conversion, plus doesn't
+	# mislead that these are the only valid tag values (it's just the set
+	# of known tags).
+    const SNMP::OBJ_INTEGER_TAG       : count = 0x02; ##< Signed 64-bit integer.
+    const SNMP::OBJ_OCTETSTRING_TAG   : count = 0x04; ##< An octet string.
+    const SNMP::OBJ_UNSPECIFIED_TAG   : count = 0x05; ##< A NULL value.
+    const SNMP::OBJ_OID_TAG           : count = 0x06; ##< An Object Identifier.
+    const SNMP::OBJ_IPADDRESS_TAG     : count = 0x40; ##< An IP address.
+    const SNMP::OBJ_COUNTER32_TAG     : count = 0x41; ##< Unsigned 32-bit integer.
+    const SNMP::OBJ_UNSIGNED32_TAG    : count = 0x42; ##< Unsigned 32-bit integer.
+    const SNMP::OBJ_TIMETICKS_TAG     : count = 0x43; ##< Unsigned 32-bit integer.
+    const SNMP::OBJ_OPAQUE_TAG        : count = 0x44; ##< An octet string.
+    const SNMP::OBJ_COUNTER64_TAG     : count = 0x46; ##< Unsigned 64-bit integer.
+    const SNMP::OBJ_NOSUCHOBJECT_TAG  : count = 0x80; ##< A NULL value.
+    const SNMP::OBJ_NOSUCHINSTANCE_TAG: count = 0x81; ##< A NULL value.
+    const SNMP::OBJ_ENDOFMIBVIEW_TAG  : count = 0x82; ##< A NULL value.
+
+	## The ``VarBind`` data structure from either :rfc:`1157` or
+	## :rfc:`3416`, which maps an Object Identifier to a value.
+	type SNMP::Binding: record {
+		oid:   string;
+		value: SNMP::ObjectValue;
+	};
+
+	## A ``VarBindList`` data structure from either :rfc:`1157` or :rfc:`3416`.
+	## A sequences of :bro:see:`SNMP::Binding`, which maps an OIDs to values.
+	type SNMP::Bindings: vector of SNMP::Binding;
+
+	## A ``PDU`` data structure from either :rfc:`1157` or :rfc:`3416`.
+	type SNMP::PDU: record {
+		request_id:   int;
+		error_status: int;
+		error_index:  int;
+		bindings:     SNMP::Bindings;
+	};
+
+	## A ``Trap-PDU`` data structure from :rfc:`1157`.
+	type SNMP::TrapPDU: record {
+		enterprise:    string;
+		agent:         addr;
+		generic_trap:  int;
+		specific_trap: int;
+		time_stamp:    count;
+		bindings:      SNMP::Bindings;
+	};
+
+	## A ``BulkPDU`` data structure from :rfc:`3416`.
+	type SNMP::BulkPDU: record {
+		request_id:      int;
+		non_repeaters:   count;
+		max_repititions: count;
+		bindings:        SNMP::Bindings;
+	};
+}
+module GLOBAL;
+
 @load base/bif/event.bif
 
 ## BPF filter the user has set via the -f command line options. Empty if none.
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d87574f4e5..edf6e21f56 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -47,6 +47,7 @@
 @load base/protocols/irc
 @load base/protocols/modbus
 @load base/protocols/pop3
+@load base/protocols/snmp
 @load base/protocols/smtp
 @load base/protocols/socks
 @load base/protocols/ssh
diff --git a/scripts/base/protocols/snmp/README b/scripts/base/protocols/snmp/README
new file mode 100644
index 0000000000..524c3266cc
--- /dev/null
+++ b/scripts/base/protocols/snmp/README
@@ -0,0 +1 @@
+Support for Simple Network Management Protocol (SNMP) analysis.
diff --git a/scripts/base/protocols/snmp/__load__.bro b/scripts/base/protocols/snmp/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/protocols/snmp/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro
new file mode 100644
index 0000000000..a2fbb23713
--- /dev/null
+++ b/scripts/base/protocols/snmp/main.bro
@@ -0,0 +1,15 @@
+##! Enables analysis of SNMP datagrams.
+
+module SNMP;
+
+export {
+}
+
+const ports = { 161/udp, 162/udp };
+
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
+	}
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index fc63aa4b66..bf063dfafc 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -28,6 +28,7 @@ add_subdirectory(ntp)
 add_subdirectory(pia)
 add_subdirectory(pop3)
 add_subdirectory(rpc)
+add_subdirectory(snmp)
 add_subdirectory(smb)
 add_subdirectory(smtp)
 add_subdirectory(socks)
diff --git a/src/analyzer/protocol/snmp/CMakeLists.txt b/src/analyzer/protocol/snmp/CMakeLists.txt
new file mode 100644
index 0000000000..7f1ffe2ed6
--- /dev/null
+++ b/src/analyzer/protocol/snmp/CMakeLists.txt
@@ -0,0 +1,11 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro SNMP)
+bro_plugin_cc(SNMP.cc Plugin.cc)
+bro_plugin_bif(types.bif)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(snmp.pac snmp-protocol.pac snmp-analyzer.pac)
+bro_plugin_end()
diff --git a/src/analyzer/protocol/snmp/Plugin.cc b/src/analyzer/protocol/snmp/Plugin.cc
new file mode 100644
index 0000000000..e9e74f67a6
--- /dev/null
+++ b/src/analyzer/protocol/snmp/Plugin.cc
@@ -0,0 +1,9 @@
+#include "plugin/Plugin.h"
+#include "SNMP.h"
+
+BRO_PLUGIN_BEGIN(Bro, SNMP)
+	BRO_PLUGIN_DESCRIPTION("SNMP Analyzer");
+	BRO_PLUGIN_ANALYZER("SNMP", snmp::SNMP_Analyzer);
+	BRO_PLUGIN_BIF_FILE(types);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END
diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
new file mode 100644
index 0000000000..110479406c
--- /dev/null
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -0,0 +1,38 @@
+#include "SNMP.h"
+#include "Func.h"
+#include "types.bif.h"
+#include "events.bif.h"
+
+using namespace analyzer::snmp;
+
+SNMP_Analyzer::SNMP_Analyzer(Connection* conn)
+	: Analyzer("SNMP", conn)
+	{
+	interp = new binpac::SNMP::SNMP_Conn(this);
+	}
+
+SNMP_Analyzer::~SNMP_Analyzer()
+	{
+	delete interp;
+	}
+
+void SNMP_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+                                  int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(e.c_msg());
+		}
+	}
diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h
new file mode 100644
index 0000000000..f6dedc7b87
--- /dev/null
+++ b/src/analyzer/protocol/snmp/SNMP.h
@@ -0,0 +1,29 @@
+#ifndef ANALYZER_PROTOCOL_SNMP_SNMP_H
+#define ANALYZER_PROTOCOL_SNMP_SNMP_H
+
+#include "snmp_pac.h"
+
+namespace analyzer { namespace snmp {
+
+class SNMP_Analyzer : public analyzer::Analyzer {
+
+public:
+
+	SNMP_Analyzer(Connection* conn);
+	virtual ~SNMP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+	                           int seq, const IP_Hdr* ip, int caplen);
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SNMP_Analyzer(conn); }
+
+protected:
+
+	binpac::SNMP::SNMP_Conn* interp;
+};
+
+} } // namespace analyzer::*
+
+#endif
diff --git a/src/analyzer/protocol/snmp/events.bif b/src/analyzer/protocol/snmp/events.bif
new file mode 100644
index 0000000000..af5f2ba969
--- /dev/null
+++ b/src/analyzer/protocol/snmp/events.bif
@@ -0,0 +1,166 @@
+
+## An SNMP ``GetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_get_request%(c: connection, is_orig: bool, header: SNMP::Header,
+                        pdu: SNMP::PDU%);
+
+## An SNMP ``GetNextRequest-PDU`` message from either :rfc:`1157` or
+## :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_get_next_request%(c: connection, is_orig: bool,
+                             header: SNMP::Header, pdu: SNMP::PDU%);
+
+## An SNMP ``GetResponse-PDU`` message from :rfc:`1157` or a
+## ``Response-PDU`` from :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_response%(c: connection, is_orig: bool, header: SNMP::Header,
+                     pdu: SNMP::PDU%);
+
+## An SNMP ``SetRequest-PDU`` message from either :rfc:`1157` or :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_set_request%(c: connection, is_orig: bool, header: SNMP::Header,
+                        pdu: SNMP::PDU%);
+
+## An SNMP ``Trap-PDU`` message from :rfc:`1157`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_trap%(c: connection, is_orig: bool, header: SNMP::Header,
+                 pdu: SNMP::TrapPDU%);
+
+## An SNMP ``GetBulkRequest-PDU`` message from :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_get_bulk_request%(c: connection, is_orig: bool,
+                             header: SNMP::Header, pdu: SNMP::BulkPDU%);
+
+## An SNMP ``InformRequest-PDU`` message from :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_inform_request%(c: connection, is_orig: bool, header: SNMP::Header,
+                           pdu: SNMP::PDU%);
+
+## An SNMP ``SNMPv2-Trap-PDU`` message from :rfc:`1157`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_trapV2%(c: connection, is_orig: bool, header: SNMP::Header,
+                   pdu: SNMP::PDU%);
+
+## An SNMP ``Report-PDU`` message from :rfc:`3416`.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## pdu: An SNMP PDU data structure.
+event snmp_report%(c: connection, is_orig: bool, header: SNMP::Header,
+                   pdu: SNMP::PDU%);
+
+## An SNMP PDU message of unknown type.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## tag: The tag of the unknown SNMP PDU.
+event snmp_unknown_pdu%(c: connection, is_orig: bool, header: SNMP::Header,
+                        tag: count%);
+
+## An SNMPv3 ``ScopedPDUData`` of unknown type (neither plaintext or
+## an encrypted PDU was in the datagram).
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+##
+## tag: The tag of the unknown SNMP PDU scope.
+event snmp_unknown_scoped_pdu%(c: connection, is_orig: bool,
+                               header: SNMP::Header, tag: count%);
+
+## An SNMPv3 encrypted PDU message.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## header: SNMP version-dependent data that precedes PDU data in the top-level
+##         SNMP message structure.
+event snmp_encrypted_pdu%(c: connection, is_orig: bool, header: SNMP::Header%);
+
+## A datagram with an unknown SNMP version.
+##
+## c: The connection overwhich the SNMP datagram is sent.
+##
+## is_orig: The endpoint which sent the SNMP datagram.
+##
+## version: The value of the unknown SNMP version.
+event snmp_unknown_header_version%(c: connection, is_orig: bool,
+                                   version: count%);
diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac
new file mode 100644
index 0000000000..1a864df8b9
--- /dev/null
+++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac
@@ -0,0 +1,590 @@
+
+%header{
+StringVal* asn1_oid_to_val(const ASN1Encoding* oid);
+StringVal* asn1_oid_to_val(const ASN1ObjectIdentifier* oid);
+
+Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t);
+Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t);
+
+StringVal* asn1_octet_string_to_val(const ASN1Encoding* s);
+StringVal* asn1_octet_string_to_val(const ASN1OctetString* s);
+
+AddrVal* network_address_to_val(const ASN1Encoding* na);
+AddrVal* network_address_to_val(const NetworkAddress* na);
+
+Val* asn1_obj_to_val(const ASN1Encoding* obj);
+
+RecordVal* build_hdr(const Header* header);
+RecordVal* build_hdrV3(const Header* header);
+VectorVal* build_bindings(const VarBindList* vbl);
+RecordVal* build_pdu(const CommonPDU* pdu);
+RecordVal* build_trap_pdu(const TrapPDU* pdu);
+RecordVal* build_bulk_pdu(const GetBulkRequestPDU* pdu);
+%}
+
+%code{
+
+StringVal* asn1_oid_to_val(const ASN1ObjectIdentifier* oid)
+	{
+	return asn1_oid_to_val(oid->encoding());
+	}
+
+StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
+	{
+	vector<uint64> oid_components;
+	vector<vector<uint8> > subidentifiers;
+	vector<uint64> subidentifier_values;
+	vector<uint8> subidentifier;
+	bytestring const& bs = oid->content();
+
+	for ( int i = 0; i < bs.length(); ++i )
+		{
+		if ( bs[i] & 0x80 )
+			subidentifier.push_back(bs[i] & 0x7f);
+		else
+			{
+			subidentifier.push_back(bs[i]);
+			subidentifiers.push_back(subidentifier);
+			subidentifier.clear();
+			}
+		}
+
+	if ( ! subidentifier.empty() || subidentifiers.size() < 1 )
+		// Underflow.
+		return new StringVal("");
+
+	for ( size_t i = 0; i < subidentifiers.size(); ++i )
+		{
+		subidentifier = subidentifiers[i];
+		uint64 value = 0;
+
+		for ( size_t j = 0; j < subidentifier.size(); ++j )
+			{
+			uint64 byte = subidentifier[j];
+			value |= byte << (7 * (subidentifier.size() - (j + 1)));
+			}
+
+		subidentifier_values.push_back(value);
+		}
+
+	string rval;
+
+	for ( size_t i = 0; i < subidentifier_values.size(); ++i )
+		{
+		char tmp[32];
+
+		if ( i > 0 )
+			{
+			rval += ".";
+			snprintf(tmp, sizeof(tmp), "%"PRIu64, subidentifier_values[i]);
+			rval += tmp;
+			}
+		else
+			{
+			std::div_t result = div(subidentifier_values[i], 40);
+			snprintf(tmp, sizeof(tmp), "%d", result.quot);
+			rval += tmp;
+			rval += ".";
+			snprintf(tmp, sizeof(tmp), "%d", result.rem);
+			rval += tmp;
+			}
+		}
+
+	return new StringVal(rval);
+	}
+
+Val* asn1_obj_to_val(const ASN1Encoding* obj)
+	{
+	RecordVal* rval = new RecordVal(BifType::Record::SNMP::ObjectValue);
+	uint8 tag = obj->meta()->tag();
+
+	rval->Assign(0, new Val(tag, TYPE_COUNT));
+
+	switch ( tag ) {
+	case VARBIND_UNSPECIFIED_TAG:
+	case VARBIND_NOSUCHOBJECT_TAG:
+	case VARBIND_NOSUCHINSTANCE_TAG:
+	case VARBIND_ENDOFMIBVIEW_TAG:
+		break;
+
+	case ASN1_OBJECT_IDENTIFIER_TAG:
+		rval->Assign(1, asn1_oid_to_val(obj));
+		break;
+
+	case ASN1_INTEGER_TAG:
+		rval->Assign(2, asn1_integer_to_val(obj, TYPE_INT));
+		break;
+
+	case APP_COUNTER32_TAG:
+	case APP_UNSIGNED32_TAG:
+	case APP_TIMETICKS_TAG:
+	case APP_COUNTER64_TAG:
+		rval->Assign(3, asn1_integer_to_val(obj, TYPE_COUNT));
+		break;
+
+	case APP_IPADDRESS_TAG:
+		rval->Assign(4, network_address_to_val(obj));
+		break;
+
+	case ASN1_OCTET_STRING_TAG:
+	case APP_OPAQUE_TAG:
+	default:
+		rval->Assign(5, asn1_octet_string_to_val(obj));
+		break;
+	}
+
+	return rval;
+	}
+
+StringVal* asn1_octet_string_to_val(const ASN1OctetString* s)
+	{
+	return asn1_octet_string_to_val(s->encoding());
+	}
+
+StringVal* asn1_octet_string_to_val(const ASN1Encoding* s)
+	{
+	bytestring const& bs = s->content();
+	return new StringVal(bs.length(), reinterpret_cast<const char*>(bs.data()));
+	}
+
+Val* asn1_integer_to_val(const ASN1Integer* i, TypeTag t)
+	{
+	return asn1_integer_to_val(i->encoding(), t);
+	}
+
+Val* asn1_integer_to_val(const ASN1Encoding* i, TypeTag t)
+	{
+	return new Val(binary_to_int64(i->content()), t);
+	}
+
+AddrVal* network_address_to_val(const NetworkAddress* na)
+	{
+	return network_address_to_val(na->encoding());
+	}
+
+AddrVal* network_address_to_val(const ASN1Encoding* na)
+	{
+	bytestring const& bs = na->content();
+
+	// IPv6 can probably be presumed to be a octet string of length 16,
+	// but standards don't seem to currently make any provisions for IPv6,
+	// so ignore anything that can't be IPv4.
+	if ( bs.length() != 4 )
+		return new AddrVal(IPAddr());
+
+	const u_char* data = reinterpret_cast<const u_char*>(bs.data());
+	uint32 network_order = extract_uint32(data);
+	return new AddrVal(network_order);
+	}
+
+Val* time_ticks_to_val(const TimeTicks* tt)
+	{
+	return asn1_integer_to_val(tt->asn1_integer(), TYPE_COUNT);
+	}
+
+RecordVal* build_hdr(const Header* header)
+	{
+	RecordVal* rv = new RecordVal(BifType::Record::SNMP::Header);
+	rv->Assign(0, new Val(header->version(), TYPE_COUNT));
+
+	switch ( header->version() ) {
+	case SNMPV1_TAG:
+		{
+		RecordVal* v1 = new RecordVal(BifType::Record::SNMP::HeaderV1);
+		v1->Assign(0, asn1_octet_string_to_val(header->v1()->community()));
+		rv->Assign(1, v1);
+		}
+		break;
+
+	case SNMPV2_TAG:
+		{
+		RecordVal* v2 = new RecordVal(BifType::Record::SNMP::HeaderV2);
+		v2->Assign(0, asn1_octet_string_to_val(header->v2()->community()));
+		rv->Assign(2, v2);
+		}
+		break;
+
+	case SNMPV3_TAG:
+		{
+		rv->Assign(3, build_hdrV3(header));
+		}
+		break;
+	}
+
+	return rv;
+	}
+
+RecordVal* build_hdrV3(const Header* header)
+	{
+	RecordVal* v3 = new RecordVal(BifType::Record::SNMP::HeaderV3);
+	const v3Header* v3hdr = header->v3();
+	const v3HeaderData* global_data = v3hdr->global_data();
+	bytestring const& flags = global_data->flags()->encoding()->content();
+	uint8 flags_byte = flags.length() > 0 ? flags[0] : 0;
+
+	v3->Assign(0, asn1_integer_to_val(global_data->id(), TYPE_COUNT));
+	v3->Assign(1, asn1_integer_to_val(global_data->max_size(),
+	                                        TYPE_COUNT));
+	v3->Assign(2, new Val(flags_byte, TYPE_COUNT));
+	v3->Assign(3, new Val(flags_byte & 0x01, TYPE_BOOL));
+	v3->Assign(4, new Val(flags_byte & 0x02, TYPE_BOOL));
+	v3->Assign(5, new Val(flags_byte & 0x04, TYPE_BOOL));
+	v3->Assign(6, asn1_integer_to_val(global_data->security_model(),
+	                                        TYPE_COUNT));
+	v3->Assign(7, asn1_octet_string_to_val(v3hdr->security_parameters()));
+
+	if ( v3hdr->next()->tag() == ASN1_SEQUENCE_TAG )
+		{
+		const v3ScopedPDU* spdu = v3hdr->plaintext_pdu();
+		RecordVal* rv = new RecordVal(BifType::Record::SNMP::ScopedPDU_Context);
+		rv->Assign(0, asn1_octet_string_to_val(spdu->context_engine_id()));
+		rv->Assign(1, asn1_octet_string_to_val(spdu->context_name()));
+		v3->Assign(8, rv);
+		}
+
+	return v3;
+	}
+
+VectorVal* build_bindings(const VarBindList* vbl)
+	{
+	VectorVal* vv = new VectorVal(BifType::Vector::SNMP::Bindings);
+
+	for ( size_t i = 0; i < vbl->bindings()->size(); ++i )
+		{
+		VarBind* vb = (*vbl->bindings())[i];
+		RecordVal* binding = new RecordVal(BifType::Record::SNMP::Binding);
+		binding->Assign(0, asn1_oid_to_val(vb->name()->oid()));
+		binding->Assign(1, asn1_obj_to_val(vb->value()->encoding()));
+		vv->Assign(i, binding);
+		}
+
+	return vv;
+	}
+
+RecordVal* build_pdu(const CommonPDU* pdu)
+	{
+	RecordVal* rv = new RecordVal(BifType::Record::SNMP::PDU);
+	rv->Assign(0, asn1_integer_to_val(pdu->request_id(), TYPE_INT));
+	rv->Assign(1, asn1_integer_to_val(pdu->error_status(), TYPE_INT));
+	rv->Assign(2, asn1_integer_to_val(pdu->error_index(), TYPE_INT));
+	rv->Assign(3, build_bindings(pdu->var_bindings()));
+	return rv;
+	}
+
+RecordVal* build_trap_pdu(const TrapPDU* pdu)
+	{
+	RecordVal* rv = new RecordVal(BifType::Record::SNMP::TrapPDU);
+	rv->Assign(0, asn1_oid_to_val(pdu->enterprise()));
+	rv->Assign(1, network_address_to_val(pdu->agent_addr()));
+	rv->Assign(2, asn1_integer_to_val(pdu->generic_trap(), TYPE_INT));
+	rv->Assign(3, asn1_integer_to_val(pdu->specific_trap(), TYPE_INT));
+	rv->Assign(4, time_ticks_to_val(pdu->time_stamp()));
+	rv->Assign(5, build_bindings(pdu->var_bindings()));
+	return rv;
+	}
+
+RecordVal* build_bulk_pdu(const GetBulkRequestPDU* pdu)
+	{
+	RecordVal* rv =  new RecordVal(BifType::Record::SNMP::BulkPDU);
+	rv->Assign(0, asn1_integer_to_val(pdu->request_id(), TYPE_INT));
+	rv->Assign(1, asn1_integer_to_val(pdu->non_repeaters(), TYPE_COUNT));
+	rv->Assign(2, asn1_integer_to_val(pdu->max_repititions(), TYPE_COUNT));
+	rv->Assign(3, build_bindings(pdu->var_bindings()));
+	return rv;
+	}
+%}
+
+refine connection SNMP_Conn += {
+
+	function proc_get_request(pdu: GetRequestPDU): bool
+		%{
+		if ( ! snmp_get_request )
+			return false;
+
+		BifEvent::generate_snmp_get_request(bro_analyzer(),
+		                                    bro_analyzer()->Conn(),
+		                                    ${pdu.header.is_orig},
+		                                    build_hdr(${pdu.header}),
+		                                    build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_get_next_request(pdu: GetNextRequestPDU): bool
+		%{
+		if ( ! snmp_get_next_request )
+			return false;
+
+		BifEvent::generate_snmp_get_next_request(bro_analyzer(),
+		                                         bro_analyzer()->Conn(),
+		                                         ${pdu.header.is_orig},
+		                                         build_hdr(${pdu.header}),
+		                                         build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_response(pdu: ResponsePDU): bool
+		%{
+		if ( ! snmp_response )
+			return false;
+
+		BifEvent::generate_snmp_response(bro_analyzer(),
+		                                 bro_analyzer()->Conn(),
+		                                 ${pdu.header.is_orig},
+		                                 build_hdr(${pdu.header}),
+		                                 build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_set_request(pdu: SetRequestPDU): bool
+		%{
+		if ( ! snmp_set_request )
+			return false;
+
+		BifEvent::generate_snmp_set_request(bro_analyzer(),
+		                                    bro_analyzer()->Conn(),
+		                                    ${pdu.header.is_orig},
+		                                    build_hdr(${pdu.header}),
+		                                    build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_trap(pdu: TrapPDU): bool
+		%{
+		if ( ! snmp_trap )
+			return false;
+
+		BifEvent::generate_snmp_trap(bro_analyzer(),
+		                             bro_analyzer()->Conn(),
+		                             ${pdu.header.is_orig},
+		                             build_hdr(${pdu.header}),
+		                             build_trap_pdu(${pdu}));
+		return true;
+		%}
+
+	function proc_get_bulk_request(pdu: GetBulkRequestPDU): bool
+		%{
+		if ( ! snmp_get_bulk_request )
+			return false;
+
+		BifEvent::generate_snmp_get_bulk_request(bro_analyzer(),
+		                                         bro_analyzer()->Conn(),
+		                                         ${pdu.header.is_orig},
+		                                         build_hdr(${pdu.header}),
+		                                         build_bulk_pdu(${pdu}));
+		return true;
+		%}
+
+	function proc_inform_request(pdu: InformRequestPDU): bool
+		%{
+		if ( ! snmp_inform_request )
+			return false;
+
+		BifEvent::generate_snmp_inform_request(bro_analyzer(),
+		                                       bro_analyzer()->Conn(),
+		                                       ${pdu.header.is_orig},
+		                                       build_hdr(${pdu.header}),
+		                                       build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_v2_trap(pdu: v2TrapPDU): bool
+		%{
+		if ( ! snmp_trapV2 )
+			return false;
+
+		BifEvent::generate_snmp_trapV2(bro_analyzer(),
+		                               bro_analyzer()->Conn(),
+		                               ${pdu.header.is_orig},
+		                               build_hdr(${pdu.header}),
+		                               build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_report(pdu: ReportPDU): bool
+		%{
+		if ( ! snmp_report )
+			return false;
+
+		BifEvent::generate_snmp_report(bro_analyzer(),
+		                               bro_analyzer()->Conn(),
+		                               ${pdu.header.is_orig},
+		                               build_hdr(${pdu.header}),
+		                               build_pdu(${pdu.pdu}));
+		return true;
+		%}
+
+	function proc_unknown_version_header(rec: UnknownVersionHeader): bool
+		%{
+		if ( ! snmp_unknown_header_version )
+			return false;
+
+		BifEvent::generate_snmp_unknown_header_version(bro_analyzer(),
+		                                               bro_analyzer()->Conn(),
+		                                               ${rec.header.is_orig},
+		                                               ${rec.header.version});
+		return true;
+		%}
+
+	function proc_unknown_pdu(rec: UnknownPDU): bool
+		%{
+		if ( ! snmp_unknown_pdu )
+			return false;
+
+		BifEvent::generate_snmp_unknown_pdu(bro_analyzer(),
+		                                    bro_analyzer()->Conn(),
+		                                    ${rec.header.is_orig},
+		                                    build_hdr(${rec.header}),
+		                                    ${rec.tag});
+		return true;
+		%}
+
+	function proc_unknown_scoped_pdu(rec: UnknownScopedPDU): bool
+		%{
+		if ( ! snmp_unknown_scoped_pdu )
+			return false;
+
+		BifEvent::generate_snmp_unknown_scoped_pdu(bro_analyzer(),
+		                                           bro_analyzer()->Conn(),
+		                                           ${rec.header.is_orig},
+		                                           build_hdr(${rec.header}),
+		                                           ${rec.tag});
+		return true;
+		%}
+
+	function proc_encrypted_pdu(rec: EncryptedPDU): bool
+		%{
+		if ( ! snmp_encrypted_pdu )
+			return false;
+
+		BifEvent::generate_snmp_encrypted_pdu(bro_analyzer(),
+		                                      bro_analyzer()->Conn(),
+		                                      ${rec.header.is_orig},
+		                                      build_hdr(${rec.header}));
+		return true;
+		%}
+
+	function proc_header(rec: Header): bool
+		%{
+		if ( rec->unknown() )
+			return false;
+
+		bro_analyzer()->ProtocolConfirmation();
+		return true;
+		%}
+
+	function proc_v3_header_data(rec: v3HeaderData): bool
+		%{
+		if ( rec->flags()->encoding()->content().length() == 1 )
+			return true;
+
+		bro_analyzer()->ProtocolViolation("Invalid v3 HeaderData msgFlags");
+		return false;
+		%}
+
+	function check_tag(rec: ASN1EncodingMeta, expect: uint8): bool
+		%{
+		if ( rec->tag() == expect )
+			return true;
+
+		// Unwind now to stop parsing because it's definitely the
+		// wrong protocol and parsing further could be expensive.
+		// Upper layer of analyzer will catch and call ProtocolViolation().
+		throw binpac::Exception(fmt("Got ASN.1 tag %d, expect %d",
+		                        rec->tag(), expect));
+		return false;
+		%}
+
+	function check_int_width(rec: ASN1Integer): bool
+		%{
+		int len = rec->encoding()->content().length();
+
+		if ( len <= 9 )
+			// All integers use two's complement form, so an unsigned 64-bit
+			// integer value can require 9 octets to encode if the highest
+			// order bit is set.
+			return true;
+
+		throw binpac::Exception(fmt("ASN.1 integer width overflow: %d", len));
+		return false;
+		%}
+
+	function check_int(rec: ASN1Integer): bool
+		%{
+		return check_tag(rec->encoding()->meta(), ASN1_INTEGER_TAG) &&
+		       check_int_width(rec);
+		%}
+};
+
+refine typeattr GetRequestPDU += &let {
+	proc: bool = $context.connection.proc_get_request(this);
+};
+refine typeattr GetNextRequestPDU += &let {
+	proc: bool = $context.connection.proc_get_next_request(this);
+};
+refine typeattr ResponsePDU += &let {
+	proc: bool = $context.connection.proc_response(this);
+};
+refine typeattr SetRequestPDU += &let {
+	proc: bool = $context.connection.proc_set_request(this);
+};
+refine typeattr TrapPDU += &let {
+	proc: bool = $context.connection.proc_trap(this);
+};
+refine typeattr GetBulkRequestPDU += &let {
+	proc: bool = $context.connection.proc_get_bulk_request(this);
+};
+refine typeattr InformRequestPDU += &let {
+	proc: bool = $context.connection.proc_inform_request(this);
+};
+refine typeattr v2TrapPDU += &let {
+	proc: bool = $context.connection.proc_v2_trap(this);
+};
+refine typeattr ReportPDU += &let {
+	proc: bool = $context.connection.proc_report(this);
+};
+
+refine typeattr UnknownVersionHeader += &let {
+	proc: bool = $context.connection.proc_unknown_version_header(this);
+};
+refine typeattr UnknownPDU += &let {
+	proc: bool = $context.connection.proc_unknown_pdu(this);
+};
+refine typeattr UnknownScopedPDU += &let {
+	proc: bool = $context.connection.proc_unknown_scoped_pdu(this);
+};
+refine typeattr EncryptedPDU += &let {
+	proc: bool = $context.connection.proc_encrypted_pdu(this);
+};
+
+refine typeattr Header += &let {
+	proc: bool = $context.connection.proc_header(this);
+};
+
+refine typeattr v3HeaderData += &let {
+	proc: bool = $context.connection.proc_v3_header_data(this);
+};
+
+refine typeattr NetworkAddress += &let {
+	valid: bool = $context.connection.check_tag(encoding.meta,
+	                                            APP_IPADDRESS_TAG);
+};
+refine typeattr TimeTicks += &let {
+	valid: bool = $context.connection.check_tag(asn1_integer.meta,
+	                                            APP_TIMETICKS_TAG);
+};
+
+refine typeattr ASN1SequenceMeta += &let {
+	valid: bool = $context.connection.check_tag(encoding,
+	                                            ASN1_SEQUENCE_TAG);
+};
+refine typeattr ASN1Integer += &let {
+	valid: bool = $context.connection.check_int(this);
+};
+refine typeattr ASN1OctetString += &let {
+	valid: bool = $context.connection.check_tag(encoding.meta,
+	                                            ASN1_OCTET_STRING_TAG);
+};
+refine typeattr ASN1ObjectIdentifier += &let {
+	valid: bool = $context.connection.check_tag(encoding.meta,
+	                                            ASN1_OBJECT_IDENTIFIER_TAG);
+};
diff --git a/src/analyzer/protocol/snmp/snmp-protocol.pac b/src/analyzer/protocol/snmp/snmp-protocol.pac
new file mode 100644
index 0000000000..8d9b602ea2
--- /dev/null
+++ b/src/analyzer/protocol/snmp/snmp-protocol.pac
@@ -0,0 +1,272 @@
+# SNMPv1:  RFC 1157
+# SNMPv2:  RFC 1901 and 3416
+# SNMPv3:  RFC 3412
+# Variable Bindings use definitions from RFC 1155 (and 3416).
+#
+# The SNMP protocol uses a well-defined subset of ASN.1 with the
+# Basic Encoding Rules (BER).  Definite-length encodings are always
+# used.  Primitive or non-constructor encodings are preferred over
+# constructor encodings.
+
+type TopLevelMessage(is_orig: bool) = record {
+	asn1_sequence_meta: ASN1SequenceMeta;
+	version:            ASN1Integer;
+	header:             Header(version_value, is_orig);
+	pdu_or_not:         case have_plaintext_pdu(header) of {
+		false -> none: empty;
+		true  -> pdu:  PDU_Choice(header);
+	};
+} &let {
+	version_value: int64 = binary_to_int64(version.encoding.content);
+};
+
+############################## SNMP Header Versions
+
+enum SNMP_VersionTag {
+	SNMPV1_TAG = 0,
+	SNMPV2_TAG = 1,
+	SNMPV3_TAG = 3,
+};
+
+type Header(version: int64, is_orig: bool) = case version of {
+	SNMPV1_TAG -> v1:      v1Header(this);
+	SNMPV2_TAG -> v2:      v2Header(this);
+	SNMPV3_TAG -> v3:      v3Header(this);
+	default    -> unknown: UnknownVersionHeader(this);
+};
+
+function have_plaintext_pdu(header: Header): bool =
+	case header.version of {
+		SNMPV1_TAG -> true;
+		SNMPV2_TAG -> true;
+		SNMPV3_TAG -> header.v3.next.tag == ASN1_SEQUENCE_TAG;
+		default    -> false;
+	};
+
+type PDU_Choice(header: Header) = record {
+	choice: ASN1EncodingMeta;
+	pdu:    PDU(choice.tag, header);
+};
+
+type PDU(choice: uint8, header: Header) = case choice of {
+	default -> unknown: UnknownPDU(choice, header);
+};
+
+refine casetype PDU += {
+	# PDU choices from RFC 1157.
+	0xa0    -> get_request:      GetRequestPDU(header);
+	0xa1    -> get_next_request: GetNextRequestPDU(header);
+	0xa2    -> response:         ResponsePDU(header);
+	0xa3    -> set_request:      SetRequestPDU(header);
+	0xa4    -> trap:             TrapPDU(header);
+};
+
+refine casetype PDU += {
+	# PDU choices from RFC 3416.
+	0xa5    -> get_bulk_request: GetBulkRequestPDU(header);
+	0xa6    -> inform_request:   InformRequestPDU(header);
+	0xa7    -> v2_trap:          v2TrapPDU(header);
+	0xa8    -> report:           ReportPDU(header);
+};
+
+type v1Header(header: Header) = record {
+	community:  ASN1OctetString;
+};
+
+type v2Header(header: Header) = record {
+	community:  ASN1OctetString;
+};
+
+type v3Header(header: Header) = record {
+	global_data:         v3HeaderData;
+	security_parameters: ASN1OctetString;
+	next:                ASN1EncodingMeta;
+	scoped_pdu_data:     case next.tag of {
+		ASN1_SEQUENCE_TAG     -> plaintext_pdu: v3ScopedPDU;
+		ASN1_OCTET_STRING_TAG -> encrypted_pdu: EncryptedPDU(header);
+		default               -> unknown_pdu:   UnknownScopedPDU(next.tag,
+		                                                         header);
+	};
+};
+
+type v3HeaderData = record {
+	asn1_sequence_meta: ASN1SequenceMeta;
+	id:                 ASN1Integer;
+	max_size:           ASN1Integer;
+	flags:              ASN1OctetString;
+	security_model:     ASN1Integer;
+};
+
+type v3ScopedPDU = record {
+	context_engine_id: ASN1OctetString;
+	context_name:      ASN1OctetString;
+};
+
+type EncryptedPDU(header: Header) = record {
+	data: bytestring &restofdata &transient;
+};
+
+type UnknownScopedPDU(tag: uint8, header: Header) = record {
+	data: bytestring &restofdata &transient;
+};
+
+type UnknownVersionHeader(header: Header) = record {
+	data: bytestring &restofdata &transient;
+};
+
+############################## SNMP PDUs
+
+type CommonPDU(header: Header) = record {
+	request_id:         ASN1Integer;
+	error_status:       ASN1Integer;
+	error_index:        ASN1Integer;
+	var_bindings:       VarBindList;
+};
+
+type GetRequestPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type GetNextRequestPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type ResponsePDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type SetRequestPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type TrapPDU(header: Header) = record {
+	enterprise:         ASN1ObjectIdentifier;
+	agent_addr:         NetworkAddress;
+	generic_trap:       ASN1Integer;
+	specific_trap:      ASN1Integer;
+	time_stamp:         TimeTicks;
+	var_bindings:       VarBindList;
+};
+
+type GetBulkRequestPDU(header: Header) = record {
+	request_id:         ASN1Integer;
+	non_repeaters:      ASN1Integer;
+	max_repititions:    ASN1Integer;
+	var_bindings:       VarBindList;
+};
+
+type InformRequestPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type v2TrapPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type ReportPDU(header: Header) = record {
+	pdu: CommonPDU(header);
+};
+
+type UnknownPDU(tag: uint8, header: Header) = record {
+	data: bytestring &restofdata &transient;
+};
+
+type VarBindList = record {
+	asn1_sequence_meta: ASN1SequenceMeta;
+	bindings:           VarBind[];
+};
+
+type VarBind = record {
+	asn1_sequence_meta: ASN1SequenceMeta;
+	name:               ObjectName;
+	value:              ObjectSyntax;
+};
+
+############################## Variable Binding Encodings (RFC 1155 and 3416)
+
+type ObjectName = record {
+	oid: ASN1ObjectIdentifier;
+};
+
+type ObjectSyntax = record {
+	encoding: ASN1Encoding; # The tag may be a CHOICE among several;
+};
+
+type NetworkAddress = record {
+	encoding: ASN1Encoding;
+};
+
+type TimeTicks = record {
+	asn1_integer: ASN1Encoding;
+};
+
+enum AppSyntaxTypeTag {
+	APP_IPADDRESS_TAG  = 0x40,
+	APP_COUNTER32_TAG  = 0x41,
+	APP_UNSIGNED32_TAG = 0x42,
+	APP_TIMETICKS_TAG  = 0x43,
+	APP_OPAQUE_TAG     = 0x44,
+	APP_COUNTER64_TAG  = 0x46,
+};
+
+enum VarBindNullTag {
+	VARBIND_UNSPECIFIED_TAG    = 0x05,
+	VARBIND_NOSUCHOBJECT_TAG   = 0x80,
+	VARBIND_NOSUCHINSTANCE_TAG = 0x81,
+	VARBIND_ENDOFMIBVIEW_TAG   = 0x82,
+};
+
+############################## ASN.1 Encodings
+
+enum ASN1TypeTag {
+	ASN1_INTEGER_TAG           = 0x02,
+	ASN1_OCTET_STRING_TAG      = 0x04,
+	ASN1_NULL_TAG              = 0x05,
+	ASN1_OBJECT_IDENTIFIER_TAG = 0x06,
+	ASN1_SEQUENCE_TAG          = 0x30,
+};
+
+type ASN1Encoding = record {
+	meta:    ASN1EncodingMeta;
+	content: bytestring &length = meta.length;
+};
+
+type ASN1EncodingMeta = record {
+	tag:      uint8;
+	len:      uint8;
+	more_len: bytestring &length = long_len ? len & 0x7f : 0;
+} &let {
+	long_len: bool = len & 0x80;
+	length:   uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
+};
+
+type ASN1SequenceMeta = record {
+	encoding: ASN1EncodingMeta;
+};
+
+type ASN1Integer = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1OctetString = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1ObjectIdentifier = record {
+	encoding: ASN1Encoding;
+};
+
+############################## ASN.1 Conversion Functions
+
+function binary_to_int64(bs: bytestring): int64
+	%{
+	int64 rval = 0;
+
+	for ( int i = 0; i < bs.length(); ++i )
+		{
+		uint64 byte = bs[i];
+		rval |= byte << (8 * (bs.length() - (i + 1)));
+		}
+
+	return rval;
+	%}
diff --git a/src/analyzer/protocol/snmp/snmp.pac b/src/analyzer/protocol/snmp/snmp.pac
new file mode 100644
index 0000000000..29b9d32e73
--- /dev/null
+++ b/src/analyzer/protocol/snmp/snmp.pac
@@ -0,0 +1,25 @@
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "types.bif.h"
+#include "events.bif.h"
+%}
+
+analyzer SNMP withcontext {
+	connection: SNMP_Conn;
+	flow:       SNMP_Flow;
+};
+
+connection SNMP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = SNMP_Flow(true);
+	downflow = SNMP_Flow(false);
+};
+
+%include snmp-protocol.pac
+
+flow SNMP_Flow(is_orig: bool) {
+	datagram = TopLevelMessage(is_orig) withcontext(connection, this);
+};
+
+%include snmp-analyzer.pac
diff --git a/src/analyzer/protocol/snmp/types.bif b/src/analyzer/protocol/snmp/types.bif
new file mode 100644
index 0000000000..40d995284d
--- /dev/null
+++ b/src/analyzer/protocol/snmp/types.bif
@@ -0,0 +1,18 @@
+
+module SNMP;
+
+type Header: record;
+type HeaderV1: record;
+type HeaderV2: record;
+type HeaderV3: record;
+
+type PDU: record;
+type TrapPDU: record;
+type BulkPDU: record;
+type ScopedPDU_Context: record;
+
+type ObjectValue: record;
+type Binding: record;
+type Bindings: vector;
+
+module GLOBAL;
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index daa23f3b7a..f2825e6cb8 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,5 +1,7 @@
 2 1080
 1 137
+1 161
+1 162
 1 20000
 1 21
 1 2123
@@ -39,8 +41,8 @@
 1 992
 1 993
 1 995
-43 and
-42 or
-43 port
+45 and
+44 or
+45 port
 32 tcp
-11 udp
+13 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 0218611d1c..6828e6aa58 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-11
+#open	2014-02-18-18-10-43
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -12,6 +12,7 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
@@ -53,6 +54,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
@@ -101,4 +103,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-10-30-16-52-11
+#close	2014-02-18-18-10-43
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 76b3f3a596..5d32b25823 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-01-31-22-54-38
+#open	2014-02-18-18-10-44
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -12,6 +12,7 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/event.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
@@ -53,6 +54,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
@@ -200,6 +202,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/modbus/consts.bro
     scripts/base/protocols/modbus/main.bro
   scripts/base/protocols/pop3/__load__.bro
+  scripts/base/protocols/snmp/__load__.bro
+    scripts/base/protocols/snmp/main.bro
   scripts/base/protocols/smtp/__load__.bro
     scripts/base/protocols/smtp/main.bro
     scripts/base/protocols/smtp/entities.bro
@@ -222,4 +226,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-01-31-22-54-38
+#close	2014-02-18-18-10-44
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out1 b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out1
new file mode 100644
index 0000000000..f564ee0c62
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out1
@@ -0,0 +1,598 @@
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15916/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 38
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15916/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 38
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x06): 1.3.6.1.4.1.2001.1.1.1.297.93.1.27.2.2.1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15917/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 39
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15917/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 39
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x04): B6300
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x04): Chandra's cube
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15918/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 40
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15918/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 40
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x04): ^H\07^U\xe6\xbc
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15919/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 41
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15919/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 41
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x04): 172.31.19.2
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x04): 255.255.255.0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15920/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 42
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15920/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 42
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x02): 3
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15921/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 43
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15921/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 43
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15922/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 44
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15922/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 44
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x06): 1.3.6.1.4.1.2001.1.1.1.297.93.1.27.2.2.1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15923/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 45
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15923/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 45
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x04): B6300
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x04): Chandra's cube
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15924/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 46
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15924/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 46
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x04): ^H\07^U\xe6\xbc
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15925/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 47
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15925/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 47
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x04): 172.31.19.2
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x04): 255.255.255.0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15926/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 48
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15926/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 48
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x02): 3
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15927/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 49
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15927/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 49
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15928/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 50
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15928/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 50
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x06): 1.3.6.1.4.1.2001.1.1.1.297.93.1.27.2.2.1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15929/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 51
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15929/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 51
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x04): B6300
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x04): Chandra's cube
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15930/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 52
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15930/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 52
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.6.1
+    value (tag=0x04): ^H\07^U\xe6\xbc
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15931/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 53
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15931/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 53
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130104
+    value (tag=0x04): 172.31.19.2
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.7.10.14130102
+    value (tag=0x04): 255.255.255.0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14130400
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15932/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 54
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15932/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 54
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.43.14.1.1.6.1.5
+    value (tag=0x02): 3
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15933/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 55
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15933/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 55
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900
+    value (tag=0x02): 1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15934/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 56
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15934/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 56
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x06): 1.3.6.1.4.1.2001.1.1.1.297.93.1.27.2.2.1
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15935/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 57
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.8.1.3.0
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.51.8.1.1.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15935/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 57
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.8.1.3.0
+    value (tag=0x02): 0
+    oid: 1.3.6.1.4.1.253.8.51.8.1.1.0
+    value (tag=0x02): 300
+snmp_set_request
+  [orig_h=172.31.19.54, orig_p=15936/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 58
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.2.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.3.1
+    value (tag=0x04): FujiXeroxExodus
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.4.1
+    value (tag=0x06): 1.3.6.1.4.1.253.8.51.8.2
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.5.1
+    value (tag=0x02): 300
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15936/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 58
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.2.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.3.1
+    value (tag=0x04): FujiXeroxExodus
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.4.1
+    value (tag=0x06): 1.3.6.1.4.1.253.8.51.8.2
+    oid: 1.3.6.1.4.1.253.8.51.8.2.1.5.1
+    value (tag=0x02): 300
+snmp_set_request
+  [orig_h=172.31.19.54, orig_p=15937/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 59
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.2.10.1
+    value (tag=0x02): 6
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15937/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 59
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.2.10.1
+    value (tag=0x02): 6
+snmp_set_request
+  [orig_h=172.31.19.54, orig_p=15938/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 60
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130101
+    value (tag=0x04): 172.31.19.73
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.5.10.14130400
+    value (tag=0x02): 2
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130102
+    value (tag=0x04): 255.255.255.0
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130104
+    value (tag=0x04): 172.31.19.2
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15938/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 60
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130101
+    value (tag=0x04): 172.31.19.73
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.5.10.14130400
+    value (tag=0x02): 2
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130102
+    value (tag=0x04): 255.255.255.0
+    oid: 1.3.6.1.4.1.253.8.51.10.2.1.7.10.14130104
+    value (tag=0x04): 172.31.19.2
+snmp_set_request
+  [orig_h=172.31.19.54, orig_p=15939/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 61
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.2.10.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.4.10.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.3.10.1
+    value (tag=0x02): 10
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15939/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 61
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.2.10.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.4.10.1
+    value (tag=0x02): 4
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.3.10.1
+    value (tag=0x02): 10
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15940/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 62
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.5.10.1
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.6.10.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15940/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 62
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.5.10.1
+    value (tag=0x02): 0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.6.10.1
+    value (tag=0x02): 0
+snmp_set_request
+  [orig_h=172.31.19.54, orig_p=15941/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 63
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.4.10.1
+    value (tag=0x02): 8
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15941/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 63
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.4.1.253.8.51.9.2.1.4.10.1
+    value (tag=0x02): 8
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15942/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 64
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x05): <unspecified>
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15945/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 65
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x05): <unspecified>
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15952/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 66
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15952/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 66
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x43): 300
+snmp_get_request
+  [orig_h=172.31.19.54, orig_p=15953/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 67
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=172.31.19.54, orig_p=15953/udp, resp_h=172.31.19.73, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 67
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.2.0
+    value (tag=0x06): 1.3.6.1.4.1.2001.1.1.1.297.93.1.27.2.2.1
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out2 b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out2
new file mode 100644
index 0000000000..743f18bbf1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out2
@@ -0,0 +1,26 @@
+snmp_get_request
+  [orig_h=203.143.168.235, orig_p=1026/udp, resp_h=129.94.135.39, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 1567
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.25.3.2.1.5.1
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.2.1.25.3.5.1.1.1
+    value (tag=0x05): <unspecified>
+    oid: 1.3.6.1.2.1.25.3.5.1.2.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=203.143.168.235, orig_p=1026/udp, resp_h=129.94.135.39, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 1567
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.25.3.2.1.5.1
+    value (tag=0x02): 5
+    oid: 1.3.6.1.2.1.25.3.5.1.1.1
+    value (tag=0x02): 1
+    oid: 1.3.6.1.2.1.25.3.5.1.2.1
+    value (tag=0x04): \xc0
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out3 b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out3
new file mode 100644
index 0000000000..b8319b67ec
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out3
@@ -0,0 +1,18 @@
+snmp_set_request
+  [orig_h=127.0.0.1, orig_p=63034/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: T
+  [community=]
+    request_id: 2064150121
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x04): musec
+snmp_response
+  [orig_h=127.0.0.1, orig_p=63034/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: F
+  [community=]
+    request_id: 2064150121
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out4 b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out4
new file mode 100644
index 0000000000..0854c7096c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v1/out4
@@ -0,0 +1,11 @@
+snmp_trap
+  [orig_h=127.0.0.1, orig_p=57150/udp, resp_h=127.0.0.1, resp_p=162/udp]
+  is_orig: T
+  [community=public]
+    enterprise:    1.3.6.1.4.1.31337.0
+    agent:         1.0.0.127
+    generic_trap:  0
+    specific_trap: 0
+    time_stamp:    0
+    oid: 1.3.6.1.2.1.2.1.0
+    value (tag=0x02): 33
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out1 b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out1
new file mode 100644
index 0000000000..cb18518552
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out1
@@ -0,0 +1,18 @@
+snmp_get_request
+  [orig_h=10.10.1.159, orig_p=51217/udp, resp_h=10.10.3.109, resp_p=161/udp]
+  is_orig: T
+  [community=public]
+    request_id: 895734538
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.17.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=10.10.1.159, orig_p=51217/udp, resp_h=10.10.3.109, resp_p=161/udp]
+  is_orig: F
+  [community=public]
+    request_id: 895734538
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.2.2.1.17.1
+    value (tag=0x41): 854387
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out2 b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out2
new file mode 100644
index 0000000000..0c1971c9f5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out2
@@ -0,0 +1,18 @@
+snmp_get_bulk_request
+  [orig_h=127.0.0.1, orig_p=28456/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: T
+  [community=]
+    request_id:      1817072941
+    non_repeaters:   0
+    max_repititions: 0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=127.0.0.1, orig_p=28456/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: F
+  [community=]
+    request_id: 1817072941
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.5.0
+    value (tag=0x05): <unspecified>
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out3 b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out3
new file mode 100644
index 0000000000..4abbb8f819
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v2/out3
@@ -0,0 +1,72 @@
+snmp_get_request
+  [orig_h=10.144.246.184, orig_p=33938/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: T
+  [community=[R0_C@cti!]]
+    request_id: 722681733
+    error_stat: 0
+    error_idx:  0
+    oid: 0.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=10.144.246.184, orig_p=33938/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: F
+  [community=[R0_C@cti!]]
+    request_id: 722681733
+    error_stat: 0
+    error_idx:  0
+    oid: 1.0.8802.1.1.1.1.1.1.0
+    value (tag=0x02): 2
+snmp_get_request
+  [orig_h=10.144.246.184, orig_p=43824/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: T
+  [community=[R0_C@cti!]]
+    request_id: 555232471
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=10.144.246.184, orig_p=43824/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: F
+  [community=[R0_C@cti!]]
+    request_id: 555232471
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.3.0
+    value (tag=0x43): 76705700
+snmp_get_request
+  [orig_h=10.144.246.184, orig_p=40807/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: T
+  [community=[R0_C@cti!]]
+    request_id: 349867006
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.31.1.1.1.10.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=10.144.246.184, orig_p=40807/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: F
+  [community=[R0_C@cti!]]
+    request_id: 349867006
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.31.1.1.1.10.1
+    value (tag=0x46): 2232821312
+snmp_get_request
+  [orig_h=10.144.246.184, orig_p=54059/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: T
+  [community=[R0_C@cti!]]
+    request_id: 107891391
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.31.1.1.1.6.1
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=10.144.246.184, orig_p=54059/udp, resp_h=10.144.246.161, resp_p=161/udp]
+  is_orig: F
+  [community=[R0_C@cti!]]
+    request_id: 107891391
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.31.1.1.1.6.1
+    value (tag=0x46): 12606463906
diff --git a/testing/btest/Baseline/scripts.base.protocols.snmp.v3/out1 b/testing/btest/Baseline/scripts.base.protocols.snmp.v3/out1
new file mode 100644
index 0000000000..20f6d45ab0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snmp.v3/out1
@@ -0,0 +1,34 @@
+snmp_get_request
+  [orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: T
+  [id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0^N^D\0^B^A*^B^A*^D\0^D\0^D\0, pdu_context=[engine_id=, name=]]
+    request_id: 544943986
+    error_stat: 0
+    error_idx:  0
+snmp_report
+  [orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: F
+  [id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0\x1b^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D\0^D\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
+    request_id: 544943986
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.6.3.15.1.1.0
+    value (tag=0x41): 3
+snmp_get_request
+  [orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: T
+  [id=544943986, max_size=16384, flags=4, auth_flag=F, priv_flag=F, reportable_flag=T, security_model=3, security_params=0/^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D^Husername^D^L\0\0\0\0\0\0\0\0\0\0\0\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
+    request_id: 544943986
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x05): <unspecified>
+snmp_response
+  [orig_h=127.0.0.1, orig_p=54211/udp, resp_h=127.0.0.1, resp_p=161/udp]
+  is_orig: F
+  [id=544943986, max_size=16384, flags=0, auth_flag=F, priv_flag=F, reportable_flag=F, security_model=3, security_params=0#^D^M\x80\0\x1f\x88\x80\xa9I\x8e^:,0C^B^A\xdd^B^A\xdd^D^Husername^D\0^D\0, pdu_context=[engine_id=\x80\0\x1f\x88\x80\xa9I\x8e^:,0C, name=]]
+    request_id: 544943986
+    error_stat: 0
+    error_idx:  0
+    oid: 1.3.6.1.2.1.1.6.0
+    value (tag=0x04): 
diff --git a/testing/btest/Traces/snmp/snmpv1_get.pcap b/testing/btest/Traces/snmp/snmpv1_get.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..de8505b529dde4a6bf171e462a9799627fca7da1
GIT binary patch
literal 7165
zcmd6sZE#f89mdbSxw-61j0Rd-7K1@37!o!oyV=c>z$V#*NF)J50UahPFUg205o)AO
z?Wo<NC^JUXp@a0rE{nF#PV2PHSfx`bR;M@&I*#K^%NJ?CRKMtqt#(GnseS%u@5|Xe
zn*;687v`QB_Ri)$=lA^2dG0x9-+A@KF_T%${rCCjj2ZZ_?#YJUGlv6gBmPe<z}mm~
zm*242T{p$w4zSgX^%dqZ_MN)Aw|{osoFv*nx|tngyyjWH#59;?@7=d!_nkX)^Gt(2
z<Knfv#tt;uhG`fks}>5ojs(~!o=(kuHt7h3Es^<*b=Up*6g{0(*fD5i?wjB#Ng?0l
zD>U#0zJfg)T9$EW*f5OmHr{H?H%)`6KFkN$Hpo#^s5TZNg6dU|YB{LV(?h&X(#$P2
z4P1iiTA!*KRQ@O1VSM*wfK5V+n!-31xmGYfFEK7>!%zQ!-ze$jJAAzsUgt7aGpjn2
zjC0N-?k$^HwY|Hx-!*#o_N9{zJNNAvBjj(t7GRs8PEA4XFTiFL@=Xsp3gnpeB)>uG
zLT<ik&}Ury8eVIML?L0RZ4^s6aVEgF;`!7R%)v;#!2G?08D**SM|o7z$S?FY=JGGd
z8kSw`H_@cu39v^YLQSE$zW_r)^F5EI1vKNI*nFF$l>4e_G&(eE_*`eGWbX@fTc$B9
zbl}|=Qz&Jn`$_eFHNJmxThWETeh^^KqF>Y$7mh?02p8^^TxenY|DNODlKPh4?e}dv
zUs$PcR=Bl27LB(?TUSJ5d{Kq3B(1AriA2<GoPVkGOT|88CX%7mp9a_#^p~1q=$Zmb
z2Sd+#hH@C%c5xkFCUrVjZyNL&7oW|qv1`QeXsR`6d=#x&`&oe93<YY6H3O0Bgf(X*
zYdA}M+Rrh)y)?-$@Kxqu9+aq<Mis%lWCz&@6sRdM>k6m<VEpOb3Yd-ydpVb6a*IrZ
zWC`ZW<)Z-3T{wSF5ot$VklhL$Y6{Z&NP|E+Eg`kC&Ohzqt&&!Lv9C3+LY1K9RO!fq
zpe~K!AHdFeRf++O*Bn*SxY+@#kjBjmgSs?cC~#hqaAHW~?MfQE3YV3}Z#4yVX$%WN
z^|D752UU8yM@i%54%H>o_`OU}m&Vr%#^)r)IMVo#lE$vyzmvva8w%>u7&Zg>bq~1>
z$T91HlE##rxGJad!Qr4TjTb2+vkhrHt)#K5p-JP@BSBpn!%)y1@@NvE8UOgAlEy6#
z%@s}K#%~05X}nmtaF0~%1k(7hlE!Y|{yS-0pAG8L7^Q=uuX%=IRfIIoC}~WAM#E!<
zG|oO4)TQxPgf*{7)+CX}9ZDLzDl?_=`;TeU7!@d)-tB<txG<`uF(oF!Xw&$KquMlH
zB9MM9A+;loN0c;nwPsG^&3MfW9tr8v82$l_mOI6@aSC9(W?D((m;+Xp#-w0<Kcq|J
zMuGDS2`7a#-mIjtt8mFQCQbXfkS>j3A*f#Ts8)a~J)Ka}IPOqs(^xS6Hl$1AWr8s$
zF|I%w?^n{;)%#b|n7Yt^Hl$1Ar2_eP9&!heW7fS&8q@ZGMyRqjCXJytLb^0=5}5Lf
zwF7CKRnpkim?4cx=^uXx>C*THL37Zf=>*OA#~&(boN#EaSQ=B`?)WIAOXFtY!fvV9
zok-(Hlr(nx_McB<>h!G7Lb^1@EX0hU9cpo&uY{p(7n4dFCmlm8q%o;%VqskxFBjIF
zl&o2aG>$51?5b2sW0IK+hjnXXOt+Hhy$UcL7j99~xZQ!7F^x&9e{NW}HjWCU6B5!Y
zr11tNja@B$8lP_n>(Uq#3}CbnFIFiHFkX{Y(wNQ_aFw4_5YG6bur7^T1WrN1Nh6I1
zlr(k~E-Q`KN5gC!I}2*cR%WDt2?MI1dQ@GYT61uWr-9&|zu;}Q!l7D%9n)3fOavR<
zc)+Nl<BHN-25u2;xHZfsph`{I*xVlBf>zGuF1FTup7%(~d8C!A+{kB_DU-`{O76jV
z(`Y8~A9jY>3FuN&u%9VlG64HF54#)KkFWiJXCIQ(k58Ef4oyTgC!kd8bDKDTG7Sqm
z>yn#QhIMuSzVSP68M}MW)at1{qx&X#ed$*$!wyT&!3jml6RHiD;NdQxK(X(cNUN}K
zt29`;+2ey{1o{6d!K|CY-WyA)!C(Qi7d3dnt3eNHklK_ld1D>NX-=n80(xUz?O7K@
z0Ya#OP1SB5@|6^?1|u=y)h{KldZ2W?M2XIgE<@?`&0%&9V~U!>bgF<U45p07lmSy=
zeTrv)ERU<~6Q;4!p~^nQulJ8t;vwhgC}Gw3$20A5c~ei{agSb1`QXO;W98sRIso#%
zlqxv@A{YNS;<G6(o{GeUi)qQl3@dCXW6S@avQ6F*W(QC+YD(Rv3J4?A?P0HOy{Oyh
zM>q1Va@mGVW0h02OvSNimEW~!gerHd=x%5W93N;5dc9H{pNg~z$M;K)_o7#8N_v&Q
z^1b>|TaeuapQtHbZ7U#o;MLQfSAFnma8HtFB(HK<V9_fC7hi_xESa~}AsqLX-?Zr_
zd2%=vWP71ZP4Q$$Bq2O`O7f(St*gJE_ett`yzpK1=JJ|AoqAQ4C6LEm(r@VXPdya+
z!2+@b^pqvVWx#4mt&LBWWC^8K7am7CN@|HQ5g?_-n|&pPbTE<>q(7HPS3^lX?Y@N4
zH=#8AvY}hrU}l4f_6|j+elYRy*OjGBx5FfDH0k~S02I1!*B&gc5(@MKMNwfuC`>2{
zJ(U$6fx_QTX&GJ+3iR}%!Umx*rYO)T#U(G#h=CNwUopI0oKlZ|8^`h8b)WP}_1M5-
zXP1@i;_~=~!&RVNobyvv73;;igfz@^T8du@iiAfoOcXUc6$(7AoPvH1BZUXvG&GA$
X`zL}TE>R3)k=djyGF^pBE;9cK##mi-

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv1_get_short.pcap b/testing/btest/Traces/snmp/snmpv1_get_short.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a765af6640a64c2e590c8f2be4db96d753fea29f
GIT binary patch
literal 299
zcmca|c+)~A1{MYw`2U}Qff2~5zsT*f_6-+91&|HG4BWRTi={B|h8bVs;9ziNV90Vg
z#K6!XSaINV|BBa*aqa3XObiPd!iwY!e3%#+Sl9|mlX5bX7uYi~vB?7kfXKkufS-+9
zn~jl)QIeU7k(H5^0ZD+Bkr7=0s0Qqg$Dg<us)0@bVTcPLt^vCvcglAL23f)G4v-r_
sZedsmbV=mtw+8-5?pWl6<PI|f0Tg!t?LiU&IfRLk5k-WFk%jR908~sie*gdg

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv1_set.pcap b/testing/btest/Traces/snmp/snmpv1_set.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..dc0701408a8bb91f4e5e91af1bb236b22678301e
GIT binary patch
literal 219
zcmca|c+)~A1{MYw`2U}Qff2}gxLViq>qQoZ5Fi_b*;rYanHU+Fm|0laI2c?R7~DXr
z90aSE)&n(w@HZ=lg$za-yapOfj6eeyD>AWEbL3?LIY49}Y#_+Sq0Pn!G=r6ag*CUd
zI5in$$AwEQ4E{iqKp0{=#3ryEj!-*R!R%mI2((34Ji$O2Y{w!Q6g&6~co255G5`Sh
CZXtI7

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv1_trap.pcap b/testing/btest/Traces/snmp/snmpv1_trap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e77219efd2efa7258ca4031a6d5f4e0195aa8d3c
GIT binary patch
literal 143
zcmca|c+)~A1{MYw`2U}Qff2|NSflI7X3WQs4rGHc8!HPl6C)!NGYcyl2ZJjELnKI*
zgJAWfdY}dnzHi5{h{1K&Zv$&4Mg|tPg3_d%%;Y6{Y@FI`j4X_eUosgSSU~E4vOwev
Sw$gy#fR~K}sDKF~tOx+r$`%6v

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv2_get.pcap b/testing/btest/Traces/snmp/snmpv2_get.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..705af973ba23bc1c199f3b836c797546f04abc52
GIT binary patch
literal 233
zcmca|c+)~A1{MYw`2U}Qff2}=@si1V+dVdha3C9m86<ap_hw=cJKgh2orA%Zfx$Ct
zF9U;v;J4#kT#WO%xR`TK2r?{WFunH1K%0q?k%g_GG$|)Dd4U`gi)r#@E+$3>ATkgz
z;A7*`W@BVxWMX0zWMl<fBlnPvAqr>%2tzD@SO&Jn2WSb<8pS4%6(Fk^76L7@IH+o%
Whh)tnMHFj<4Fr*`ab)J@ECv9V2r#Gs

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv2_get_bulk.pcap b/testing/btest/Traces/snmp/snmpv2_get_bulk.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5099c7a3234abf655b516d2400d4c919511f3d6a
GIT binary patch
literal 214
zcmca|c+)~A1{MYw`2U}Qff2}guv*tsVJ|a-KadT=Y^*HIOpJ_7%q*;I91N}u42~dG
z4uaLI>VX<SIA4QdA%pJZ=?2O`bu0`^WtdoU{6ck^7#V=bfX{%3jYFG_5h%yXzzR10
b7n1Q1gCUk+H=bc3&;s4bv!KQ=!fQMLHG&?T

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv2_get_next.pcap b/testing/btest/Traces/snmp/snmpv2_get_next.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d3c6c2b9878e1a0a1ee9c0fbd6c22d8f7eaf8ed2
GIT binary patch
literal 894
zcmca|c+)~A1{MYw`2U}Qff300b@{f(hjb=}U?3ZW8TgvTzA`Y#CT!-q%faBv074E7
z4uTeXTob<S0OEx$lNc5<7+QWZP-kLfWZ{kuGKhC}NG{1#j9n<o#G);1-^#?u07M4t
z2CQt1jI3ZQ=H)Um!~#tRVTj=ni@;X+^SxzY_%FE13}igW8U~Oh*2`ZS7@}LTNFK!s
zK?8m^E{!8ej9>t?l?mjZ6JMAZqJZ{*Fou78p#D*Z`De8O&_5P`jvMHqTed)kiA7OD
z=Q`9sd<Hyh9NKJ*KxNDf5N|F0#l#Q?v;>4PycNLr4(u%xgtvfp*?5#17@^y=NCCwr
zAp-$~P0lPVlk%5<{Pi-A84-x+@#GKnmkP{Z^V5O;vfh<~8HfvjfhcmT`ybR_pg`mX
z`%4}ej9kzdiz;PiNCNr_gfYAp!uKBRHGPEFfYv#%uQxEm@R|yWWnu;*D3-agGPH`R
zIe@%(<N+z(yQ~fJ-Zg*h-eb%2+K<(HY*6pLeTLV2AHd!NrFm$A1X|}%{{*}DkSs&>
O9vh<@E7SY*_(cGDH`}EE

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/snmp/snmpv3_get_next.pcap b/testing/btest/Traces/snmp/snmpv3_get_next.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..13ed2e76462aaf1ddc8ad864be54851cfb64115e
GIT binary patch
literal 661
zcmaixy-EW?6ov21-W@g&cN3zbsKg)^{*fzK3Brm5NpB~LA}JJN5fzCk3@8!^h?QdJ
z3W8#%kB~>uR`5;Yoyo3{UC?39Fu(VFocZj$1riXV*6jiaUVOhUl&^9g?DJep*=R{2
zq=mL}paig~Z~58A%{f2N`shFa>+L+PNMTV%;$)*(lhOwi$UB%J7eR_y?#PA+G^oc1
zH@qqM5XcyphCI0C@>)I1p1m<{g~of4F$8RVeCg3a!k9~1I6-4L(1d)e`BJ{#UY@5l
zDZaRe6icx~gy%vZQjW4JHK&BKJRx9JXJzSl-iJMS;)PZso;%6Ae)eo5qBQYbq-Lm|
zpfvF;QZWV+QaUF`mD=HMwSs9b`P(?Z_ydGsypP<av~rl7KTd&dq8%Oa;GT<UC8BMI
f&^r;diT1RxMb!kfiFTT%{)5&ZodkXS0~Fy0s^n}4

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/snmp/v1.bro b/testing/btest/scripts/base/protocols/snmp/v1.bro
new file mode 100644
index 0000000000..7dd5bd4a68
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snmp/v1.bro
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_get_short.pcap %INPUT $SCRIPTS/snmp-test.bro >out2
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_set.pcap %INPUT $SCRIPTS/snmp-test.bro >out3
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv1_trap.pcap %INPUT $SCRIPTS/snmp-test.bro >out4
+
+# @TEST-EXEC: btest-diff out1
+# @TEST-EXEC: btest-diff out2
+# @TEST-EXEC: btest-diff out3
+# @TEST-EXEC: btest-diff out4
+
+@load base/protocols/snmp
diff --git a/testing/btest/scripts/base/protocols/snmp/v2.bro b/testing/btest/scripts/base/protocols/snmp/v2.bro
new file mode 100644
index 0000000000..a2b9885fbb
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snmp/v2.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get.pcap %INPUT $SCRIPTS/snmp-test.bro >out1
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_bulk.pcap %INPUT $SCRIPTS/snmp-test.bro >out2
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv2_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out3
+
+# @TEST-EXEC: btest-diff out1
+# @TEST-EXEC: btest-diff out2
+# @TEST-EXEC: btest-diff out3
+
+@load base/protocols/snmp
diff --git a/testing/btest/scripts/base/protocols/snmp/v3.bro b/testing/btest/scripts/base/protocols/snmp/v3.bro
new file mode 100644
index 0000000000..43edbdc2df
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snmp/v3.bro
@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -b -r $TRACES/snmp/snmpv3_get_next.pcap %INPUT $SCRIPTS/snmp-test.bro >out1
+
+# @TEST-EXEC: btest-diff out1
+
+@load base/protocols/snmp
diff --git a/testing/scripts/snmp-test.bro b/testing/scripts/snmp-test.bro
new file mode 100644
index 0000000000..399935db4c
--- /dev/null
+++ b/testing/scripts/snmp-test.bro
@@ -0,0 +1,208 @@
+
+function format_snmp_val(tag: count, s: string): string
+	{
+	return fmt("    value (tag=0x%02x): %s", tag, s);
+	}
+
+function print_snmp_value(val: SNMP::ObjectValue)
+	{
+	switch ( val$tag ) {
+	case SNMP::OBJ_OID_TAG:
+		print format_snmp_val(val$tag, fmt("%s", val$oid));
+		break;
+
+	case SNMP::OBJ_INTEGER_TAG:
+		print format_snmp_val(val$tag, fmt("%s", val$signed));
+		break;
+
+	case SNMP::OBJ_COUNTER32_TAG,
+	     SNMP::OBJ_UNSIGNED32_TAG,
+	     SNMP::OBJ_TIMETICKS_TAG,
+	     SNMP::OBJ_COUNTER64_TAG:
+		print format_snmp_val(val$tag, fmt("%s", val$unsigned));
+		break;
+
+	case SNMP::OBJ_IPADDRESS_TAG:
+		print format_snmp_val(val$tag, fmt("%s", val$address));
+		break;
+
+	case SNMP::OBJ_OCTETSTRING_TAG,
+         SNMP::OBJ_OPAQUE_TAG:
+		print format_snmp_val(val$tag, fmt("%s", val$octets));
+		break;
+
+	case SNMP::OBJ_UNSPECIFIED_TAG:
+		print format_snmp_val(val$tag, fmt("%s", "<unspecified>"));
+		break;
+
+	case SNMP::OBJ_NOSUCHOBJECT_TAG:
+		print format_snmp_val(val$tag, fmt("%s", "<no such object>"));
+		break;
+
+	case SNMP::OBJ_NOSUCHINSTANCE_TAG:
+		print format_snmp_val(val$tag, fmt("%s", "<no such instance>"));
+		break;
+
+	case SNMP::OBJ_ENDOFMIBVIEW_TAG:
+		print format_snmp_val(val$tag, fmt("%s", "<end of mib view>"));
+		break;
+
+	default:
+		print format_snmp_val(val$tag, "<unknown>");
+		break;
+	}
+	}
+
+function print_snmp_binding(binding: SNMP::Binding)
+	{
+	print fmt("    oid: %s", binding$oid);
+	print_snmp_value(binding$value);
+	}
+
+function print_snmp_bindings(bindings: SNMP::Bindings)
+	{
+	for ( i in bindings )
+		print_snmp_binding(bindings[i]);
+	}
+
+function print_snmp_pdu(pdu: SNMP::PDU)
+	{
+	print fmt("    request_id: %s", pdu$request_id);
+	print fmt("    error_stat: %s", pdu$error_status);
+	print fmt("    error_idx:  %s", pdu$error_index);
+	print_snmp_bindings(pdu$bindings);
+	}
+
+function print_snmp_trap_pdu(pdu: SNMP::TrapPDU)
+	{
+	print fmt("    enterprise:    %s", pdu$enterprise);
+	print fmt("    agent:         %s", pdu$agent);
+	print fmt("    generic_trap:  %s", pdu$generic_trap);
+	print fmt("    specific_trap: %s", pdu$specific_trap);
+	print fmt("    time_stamp:    %s", pdu$time_stamp);
+	print_snmp_bindings(pdu$bindings);
+	}
+
+function print_snmp_bulk_pdu(pdu: SNMP::BulkPDU)
+	{
+	print fmt("    request_id:      %s", pdu$request_id);
+	print fmt("    non_repeaters:   %s", pdu$non_repeaters);
+	print fmt("    max_repititions: %s", pdu$max_repititions);
+	print_snmp_bindings(pdu$bindings);
+	}
+
+function print_snmp_conn(c: connection, is_orig: bool)
+	{
+	print fmt("  %s", c$id);
+	print fmt("  is_orig: %s", is_orig);
+	}
+
+function print_snmp_header(header: SNMP::Header)
+	{
+	switch ( header$version ) {
+	case 0:
+		print fmt("  %s", header$v1);
+		break;
+
+	case 1:
+		print fmt("  %s", header$v2);
+		break;
+
+	case 3:
+		print fmt("  %s", header$v3);
+		break;
+
+	default:
+		break;
+	}
+	}
+
+function print_snmp(msg: string, c: connection, is_orig: bool,
+                    header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print msg;
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	print_snmp_pdu(pdu);
+	}
+
+event snmp_get_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_get_request", c, is_orig, header, pdu);
+	}
+
+event snmp_get_next_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_get_request", c, is_orig, header, pdu);
+	}
+
+event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_response", c, is_orig, header, pdu);
+	}
+
+event snmp_set_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_set_request", c, is_orig, header, pdu);
+	}
+
+event snmp_trap(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU)
+	{
+	print "snmp_trap";
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	print_snmp_trap_pdu(pdu);
+	}
+
+event snmp_get_bulk_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU)
+	{
+	print "snmp_get_bulk_request";
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	print_snmp_bulk_pdu(pdu);
+	}
+
+event snmp_inform_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_inform_request", c, is_orig, header, pdu);
+	}
+
+event snmp_trapV2(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_trapv2", c, is_orig, header, pdu);
+	}
+
+event snmp_report(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU)
+	{
+	print_snmp("snmp_report", c, is_orig, header, pdu);
+	}
+
+event snmp_unknown_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count)
+	{
+	print "snmp_unknown_pdu";
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	print fmt("  tag: %s", tag);
+	}
+
+event snmp_unknown_scoped_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count)
+	{
+	print "snmp_unknown_scoped_pdu";
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	print fmt("  tag: %s", tag);
+	}
+
+event snmp_encrypted_pdu(c: connection, is_orig: bool, header: SNMP::Header)
+	{
+	print "snmp_encrypted_pdu";
+	print_snmp_conn(c, is_orig);
+	print_snmp_header(header);
+	}
+
+event snmp_unknown_header_version(c: connection, is_orig: bool, version: count)
+	{
+	print "snmp_unknown_header_version";
+	print_snmp_conn(c, is_orig);
+	print fmt("  version %s", version);
+	}

From 3f008c8f0bf4378eb5f2058224293cc48da6639f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 18 Feb 2014 15:40:41 -0600
Subject: [PATCH 048/220] Fix compiler nitpicks from new SNMP code.

---
 src/analyzer/protocol/snmp/snmp-analyzer.pac | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac
index 1a864df8b9..cc190e6ebe 100644
--- a/src/analyzer/protocol/snmp/snmp-analyzer.pac
+++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac
@@ -1,3 +1,11 @@
+%extern{
+#include <cstdlib>
+#include <vector>
+#include <string>
+
+#include "net_util.h"
+#include "util.h"
+%}
 
 %header{
 StringVal* asn1_oid_to_val(const ASN1Encoding* oid);
@@ -81,7 +89,7 @@ StringVal* asn1_oid_to_val(const ASN1Encoding* oid)
 			}
 		else
 			{
-			std::div_t result = div(subidentifier_values[i], 40);
+			std::div_t result = std::div(subidentifier_values[i], 40);
 			snprintf(tmp, sizeof(tmp), "%d", result.quot);
 			rval += tmp;
 			rval += ".";

From 2636d3aee74fc523dac5e0c4ec7fddba4b5d3d1b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 18 Feb 2014 15:58:53 -0600
Subject: [PATCH 049/220] Add memory leak unit test for SNMP.

---
 testing/btest/core/leaks/snmp.test | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 testing/btest/core/leaks/snmp.test

diff --git a/testing/btest/core/leaks/snmp.test b/testing/btest/core/leaks/snmp.test
new file mode 100644
index 0000000000..c58c1f5b58
--- /dev/null
+++ b/testing/btest/core/leaks/snmp.test
@@ -0,0 +1,10 @@
+# Needs perftools support.
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/snmp/snmpv1_get.pcap -r $TRACES/snmp/snmpv1_get_short.pcap -r $TRACES/snmp/snmpv1_set.pcap -r $TRACES/snmp/snmpv1_trap.pcap -r $TRACES/snmp/snmpv2_get_bulk.pcap -r $TRACES/snmp/snmpv2_get_next.pcap -r $TRACES/snmp/snmpv2_get.pcap -r $TRACES/snmp/snmpv3_get_next.pcap $SCRIPTS/snmp-test.bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+
+@load base/protocols/snmp

From 90026f7196d721d4141077954f9a415791c48fc0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 19 Feb 2014 10:32:27 -0600
Subject: [PATCH 050/220] Update to libmagic version 5.17, address BIT-1136.

---
 CMakeLists.txt                       | 2 +-
 testing/btest/bifs/identify_data.bro | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 28027d63d3..f773381ae8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -56,7 +56,7 @@ set(LIBMAGIC_LIB_DIR ${LIBMAGIC_PREFIX}/lib)
 set(LIBMAGIC_LIBRARY ${LIBMAGIC_LIB_DIR}/libmagic.a)
 ExternalProject_Add(libmagic
     PREFIX ${LIBMAGIC_PREFIX}
-    URL ${CMAKE_CURRENT_SOURCE_DIR}/src/3rdparty/file-5.16.tar.gz
+    URL ${CMAKE_CURRENT_SOURCE_DIR}/src/3rdparty/file-5.17.tar.gz
     CONFIGURE_COMMAND ./configure --enable-static --disable-shared
                                   --prefix=${LIBMAGIC_PREFIX}
                                   --includedir=${LIBMAGIC_INCLUDE_DIR}
diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.bro
index 836a5a428f..d49a144b1e 100644
--- a/testing/btest/bifs/identify_data.bro
+++ b/testing/btest/bifs/identify_data.bro
@@ -10,7 +10,7 @@ event bro_init()
 	print identify_data(a, T);
 
 	# PNG image
-	local b = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a";
+	local b = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00";
 	print identify_data(b, F);
 	print identify_data(b, T);
 	}

From 18d89d6320db4ffd15f0250b2db8a1ec11750ac4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 20 Feb 2014 14:37:43 -0800
Subject: [PATCH 051/220] New alert from
 https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04

---
 scripts/base/protocols/ssl/consts.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index b81aebfbbb..c50ad13648 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -55,6 +55,7 @@ export {
 		[113] = "bad_certificate_status_response",
 		[114] = "bad_certificate_hash_value",
 		[115] = "unknown_psk_identity",
+		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between numeric codes and human readable strings for SSL/TLS

From 10d89a464896f3d041985672c9910c3fb14bdcda Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 20 Feb 2014 17:27:46 -0800
Subject: [PATCH 052/220] Updating submodule(s).

 [nomail]
---
 CHANGES      | 4 ++++
 VERSION      | 2 +-
 src/3rdparty | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ba9102aeeb..1b4d3841bd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-177 | 2014-02-20 17:27:46 -0800
+
+  * Update to libmagic version 5.17. Addresses BIT-1136. (Jon Siwek)
+    
 2.2-174 | 2014-02-14 12:07:04 -0800
 
   * Support for MPLS over VLAN. (Chris Kanich)
diff --git a/VERSION b/VERSION
index 5b847786b5..598049d62c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-174
+2.2-177
diff --git a/src/3rdparty b/src/3rdparty
index 42a4c9694a..e96d95a130 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 42a4c9694a2b2677b050fbb7cbae26bc5ec4605a
+Subproject commit e96d95a130a572b611fe70b3c3ede2b4727aaa22

From 0e7d70e21924beb04cf0109e899c2b0003b55ffd Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 21 Feb 2014 06:05:12 -0800
Subject: [PATCH 053/220] Correct return type of topk_get_top, addresses
 BIT-1144

---
 src/probabilistic/top-k.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/probabilistic/top-k.bif b/src/probabilistic/top-k.bif
index 5362750467..0589608d22 100644
--- a/src/probabilistic/top-k.bif
+++ b/src/probabilistic/top-k.bif
@@ -49,7 +49,7 @@ function topk_add%(handle: opaque of topk, value: any%): any
 ##
 ## .. bro:see:: topk_init topk_add topk_count topk_epsilon
 ##    topk_size topk_sum topk_merge topk_merge_prune
-function topk_get_top%(handle: opaque of topk, k: count%): any
+function topk_get_top%(handle: opaque of topk, k: count%): index_vec 
 	%{
 	assert(handle);
 	probabilistic::TopkVal* h = (probabilistic::TopkVal*) handle;

From 81e561e5dea6a00c7d70058974964434450fe292 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 21 Feb 2014 11:18:35 -0800
Subject: [PATCH 054/220] Revert "Correct return type of topk_get_top,
 addresses BIT-1144"

This reverts commit 0e7d70e21924beb04cf0109e899c2b0003b55ffd.

Sorry, bad idea.
---
 src/probabilistic/top-k.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/probabilistic/top-k.bif b/src/probabilistic/top-k.bif
index 0589608d22..5362750467 100644
--- a/src/probabilistic/top-k.bif
+++ b/src/probabilistic/top-k.bif
@@ -49,7 +49,7 @@ function topk_add%(handle: opaque of topk, value: any%): any
 ##
 ## .. bro:see:: topk_init topk_add topk_count topk_epsilon
 ##    topk_size topk_sum topk_merge topk_merge_prune
-function topk_get_top%(handle: opaque of topk, k: count%): index_vec 
+function topk_get_top%(handle: opaque of topk, k: count%): any
 	%{
 	assert(handle);
 	probabilistic::TopkVal* h = (probabilistic::TopkVal*) handle;

From ca2cdd88615584e782564d334e703883f40f6abf Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 21 Feb 2014 11:24:03 -0800
Subject: [PATCH 055/220] new TLS constants from
 https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01

---
 scripts/base/protocols/ssl/consts.bro | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index c50ad13648..9e9222f12c 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -47,6 +47,7 @@ export {
 		[70] = "protocol_version",
 		[71] = "insufficient_security",
 		[80] = "internal_error",
+		[86] = "inappropriate_fallback",
 		[90] = "user_canceled",
 		[100] = "no_renegotiation",
 		[110] = "unsupported_extension",
@@ -264,6 +265,8 @@ export {
 	const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
 	const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
 	const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
+	# draft-bmoeller-tls-downgrade-scsv-01
+	const TLS_FALLBACK_SCSV = 0x5600;
 	# RFC 4492
 	const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
 	const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
@@ -630,6 +633,7 @@ export {
 		[TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
 		[TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
 		[TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256",
+		[TLS_FALLBACK_SCSV] = "TLS_FALLBACK_SCSV",
 		[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
 		[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
 		[TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",

From 09c2491896971ef361e3ca339175e625c98d406e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 24 Feb 2014 08:13:38 -0800
Subject: [PATCH 056/220] Remove unused and potentially unsafe function
 ListVal::IncludedInString

---
 src/Val.cc | 17 -----------------
 src/Val.h  |  7 -------
 2 files changed, 24 deletions(-)

diff --git a/src/Val.cc b/src/Val.cc
index e072914afb..8c60f4c490 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1171,23 +1171,6 @@ ListVal::~ListVal()
 	Unref(type);
 	}
 
-const char* ListVal::IncludedInString(const char* str) const
-	{
-	if ( tag != TYPE_STRING )
-		Internal("non-string list in ListVal::IncludedInString");
-
-	loop_over_list(vals, i)
-		{
-		const char* vs = (const char*) (vals[i]->AsString()->Bytes());
-
-		const char* embedded = strstr(str, vs);
-		if ( embedded )
-			return embedded;
-		}
-
-	return 0;
-	}
-
 RE_Matcher* ListVal::BuildRE() const
 	{
 	if ( tag != TYPE_STRING )
diff --git a/src/Val.h b/src/Val.h
index 33bd89c0d5..3d4141cd7a 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -669,13 +669,6 @@ public:
 	Val* Index(const int n)		{ return vals[n]; }
 	const Val* Index(const int n) const	{ return vals[n]; }
 
-	// Returns offset of where str includes one of the strings in this
-	// ListVal (which had better be a list of strings), nil if none.
-	//
-	// Assumes that all of the strings in the list are NUL-terminated
-	// and do not have any embedded NULs.
-	const char* IncludedInString(const char* str) const;
-
 	// Returns an RE_Matcher() that will match any string that
 	// includes embedded within it one of the patterns listed
 	// (as a string, e.g., "foo|bar") in this ListVal.

From bc75988bd9e76bc595a086d61e2ee2fa960209a0 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 24 Feb 2014 12:53:48 -0800
Subject: [PATCH 057/220] More google tls extensions that are being actively
 used.

---
 scripts/base/protocols/ssl/consts.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 9e9222f12c..1ccace102c 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -89,6 +89,8 @@ export {
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
 		[30031] = "channel_id",
+		[30032] = "channel_id_new",
+		[35655] = "padding",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	

From b3bd509b3fa9d4803d7bec15399faf0471085b31 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 25 Feb 2014 15:30:29 -0800
Subject: [PATCH 058/220] Allow iterating over bif functions with result type
 vector of any.

This changes the internal type that is used to signal that a vector
is unspecified from any to void.

I tried to verify that the behavior of Bro is still the same. After
a lot of playing around, I think everything still should worl as before.

However, it might be good for someone to take a look at this.

addresses BIT-1144
---
 scripts/base/init-bare.bro                      |  7 +++++++
 src/Expr.cc                                     |  4 +++-
 src/Type.cc                                     | 17 ++++++++++++++++-
 src/Type.h                                      |  2 +-
 src/Val.cc                                      |  6 ++++--
 src/Val.h                                       |  2 ++
 src/probabilistic/top-k.bif                     |  2 +-
 testing/btest/Baseline/bifs.topk/out            |  9 +++++++++
 .../Baseline/language.vector-unspecified/output |  1 +
 testing/btest/bifs/topk.bro                     | 12 +++++++++++-
 testing/btest/language/vector-unspecified.bro   | 11 +++++++++++
 11 files changed, 66 insertions(+), 7 deletions(-)
 create mode 100644 testing/btest/Baseline/language.vector-unspecified/output
 create mode 100644 testing/btest/language/vector-unspecified.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d4e631ecf4..80747e5564 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -39,6 +39,13 @@ type count_set: set[count];
 ##    directly and then remove this alias.
 type index_vec: vector of count;
 
+## A vector of any, used by some builtin functions to store a list of varying types.
+##
+## .. todo:: We need this type definition only for declaring builtin functions
+##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
+##    directly and then remove this alias.
+type any_vec: vector of any;
+
 ## A vector of strings.
 ##
 ## .. todo:: We need this type definition only for declaring builtin functions
diff --git a/src/Expr.cc b/src/Expr.cc
index 5f6c7d41c6..a5315b533d 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3819,7 +3819,9 @@ VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list,
 		if ( constructor_list->Exprs().length() == 0 )
 			{
 			// vector().
-			SetType(new ::VectorType(base_type(TYPE_ANY)));
+			// By default, assign VOID type here. A vector with
+			// void type set is seen as an unspecified vector.
+			SetType(new ::VectorType(base_type(TYPE_VOID)));
 			return;
 			}
 
diff --git a/src/Type.cc b/src/Type.cc
index 340ab973bc..61adbbad87 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1626,6 +1626,21 @@ VectorType::~VectorType()
 	Unref(yield_type);
 	}
 
+BroType* VectorType::YieldType()
+	{
+	// cheat around the fact that we use void internally to
+	// mark a vector as being unspecified
+	if ( IsUnspecifiedVector() )
+		{
+		BroType* ret = ::base_type(TYPE_ANY);
+		Unref(ret); // unref, because this won't be held by anyone.
+		assert(ret);
+		return ret;
+		}
+
+	return yield_type;
+	}
+
 int VectorType::MatchesIndex(ListExpr*& index) const
 	{
 	expr_list& el = index->Exprs();
@@ -1645,7 +1660,7 @@ int VectorType::MatchesIndex(ListExpr*& index) const
 
 bool VectorType::IsUnspecifiedVector() const
 	{
-	return yield_type->Tag() == TYPE_ANY;
+	return yield_type->Tag() == TYPE_VOID;
 	}
 
 IMPLEMENT_SERIAL(VectorType, SER_VECTOR_TYPE);
diff --git a/src/Type.h b/src/Type.h
index f6328aed4a..361c2794f0 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -572,7 +572,7 @@ class VectorType : public BroType {
 public:
 	VectorType(BroType* t);
 	virtual ~VectorType();
-	BroType* YieldType()	{ return yield_type; }
+	BroType* YieldType();
 
 	int MatchesIndex(ListExpr*& index) const;
 
diff --git a/src/Val.cc b/src/Val.cc
index e072914afb..46a2f89cca 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -2976,7 +2976,9 @@ VectorVal::~VectorVal()
 bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
 	{
 	if ( element &&
-	     ! same_type(element->Type(), vector_type->YieldType(), 0) )
+	     ! same_type(element->Type(), vector_type->YieldType(), 0) &&
+			 // if we are unspecified, you can assign anything to us.
+			 ! vector_type->IsUnspecifiedVector() )
 		{
 		Unref(element);
 		return false;
@@ -3139,7 +3141,7 @@ bool VectorVal::DoUnserialize(UnserialInfo* info)
 	for ( int i = 0; i < len; ++i )
 		{
 		Val* v;
-		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
+		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY)); // accept any type
 		Assign(i, v);
 		}
 
diff --git a/src/Val.h b/src/Val.h
index 33bd89c0d5..f44bba2059 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -656,6 +656,8 @@ protected:
 	DECLARE_SERIAL(PatternVal);
 };
 
+// ListVals are mainly used to index tables that have more than one 
+// element in their index.
 class ListVal : public Val {
 public:
 	ListVal(TypeTag t);
diff --git a/src/probabilistic/top-k.bif b/src/probabilistic/top-k.bif
index 5362750467..8f7b071a4c 100644
--- a/src/probabilistic/top-k.bif
+++ b/src/probabilistic/top-k.bif
@@ -49,7 +49,7 @@ function topk_add%(handle: opaque of topk, value: any%): any
 ##
 ## .. bro:see:: topk_init topk_add topk_count topk_epsilon
 ##    topk_size topk_sum topk_merge topk_merge_prune
-function topk_get_top%(handle: opaque of topk, k: count%): any
+function topk_get_top%(handle: opaque of topk, k: count%): any_vec
 	%{
 	assert(handle);
 	probabilistic::TopkVal* h = (probabilistic::TopkVal*) handle;
diff --git a/testing/btest/Baseline/bifs.topk/out b/testing/btest/Baseline/bifs.topk/out
index 1ce5c4b850..48d7e23f96 100644
--- a/testing/btest/Baseline/bifs.topk/out
+++ b/testing/btest/Baseline/bifs.topk/out
@@ -79,3 +79,12 @@
 0
 8
 0
+0, c
+1, e
+2, d
+0, c
+1, e
+2, d
+0, c
+1, e
+2, d
diff --git a/testing/btest/Baseline/language.vector-unspecified/output b/testing/btest/Baseline/language.vector-unspecified/output
new file mode 100644
index 0000000000..8d726561ab
--- /dev/null
+++ b/testing/btest/Baseline/language.vector-unspecified/output
@@ -0,0 +1 @@
+[5, Hi, 127.0.0.1]
diff --git a/testing/btest/bifs/topk.bro b/testing/btest/bifs/topk.bro
index 02d13c4195..1e650335a7 100644
--- a/testing/btest/bifs/topk.bro
+++ b/testing/btest/bifs/topk.bro
@@ -148,7 +148,17 @@ event bro_init()
 	print topk_count(k3, "d");
 	print topk_epsilon(k3, "d");
 
-	
+	local styped: vector of count;
+	styped = topk_get_top(k3, 3);
+	for ( i in styped )
+	print i, styped[i];
 
+	local anytyped: vector of any;
+	anytyped = topk_get_top(k3, 3);
+	for ( i in anytyped )
+		print i, anytyped[i];
 
+	local suntyped = topk_get_top(k3, 3);
+	for ( i in suntyped )
+		print i, suntyped[i];
 }
diff --git a/testing/btest/language/vector-unspecified.bro b/testing/btest/language/vector-unspecified.bro
new file mode 100644
index 0000000000..b91f910504
--- /dev/null
+++ b/testing/btest/language/vector-unspecified.bro
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+# Test assignment behavior of unspecified vectors
+local a = vector();
+
+a[0] = 5;
+a[1] = "Hi";
+a[2] = 127.0.0.1;
+
+print a;

From 3f584a08fddb16e4da24eec852a6eb843c6f971e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 25 Feb 2014 19:20:42 -0800
Subject: [PATCH 059/220] Remove packet sorter. Addresses BIT-700

---
 scripts/base/init-bare.bro      |   7 -
 src/CMakeLists.txt              |   1 -
 src/Net.cc                      |  77 +------
 src/Net.h                       |   2 +-
 src/NetVar.cc                   |   4 -
 src/NetVar.h                    |   2 -
 src/PacketSort.cc               | 364 --------------------------------
 src/PacketSort.h                | 132 ------------
 src/PktSrc.cc                   |  10 +-
 src/RemoteSerializer.cc         |   2 +-
 src/Sessions.cc                 | 102 ++++-----
 src/Sessions.h                  |   6 +-
 src/analyzer/protocol/arp/ARP.h |   6 +-
 13 files changed, 65 insertions(+), 650 deletions(-)
 delete mode 100644 src/PacketSort.cc
 delete mode 100644 src/PacketSort.h

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d4e631ecf4..46a838e8ae 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -1028,13 +1028,6 @@ const rpc_timeout = 24 sec &redef;
 ## means "forever", which resists evasion, but can lead to state accrual.
 const frag_timeout = 0.0 sec &redef;
 
-## Time window for reordering packets. This is used for dealing with timestamp
-## discrepancy between multiple packet sources.
-##
-## .. note:: Setting this can have a major performance impact as now packets
-##    need to be potentially copied and buffered.
-const packet_sort_window = 0 usecs &redef;
-
 ## If positive, indicates the encapsulation header size that should
 ## be skipped. This applies to all packets.
 const encap_hdr_size = 0 &redef;
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index c85b3b526f..ecf8683ddd 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -293,7 +293,6 @@ set(bro_SRCS
     OpaqueVal.cc
     OSFinger.cc
     PacketFilter.cc
-    PacketSort.cc
     PersistenceSerializer.cc
     PktSrc.cc
     PolicyFile.cc
diff --git a/src/Net.cc b/src/Net.cc
index ac4dacf9b8..83fcde1df4 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -27,7 +27,6 @@
 #include "Reporter.h"
 #include "Net.h"
 #include "Anon.h"
-#include "PacketSort.h"
 #include "Serializer.h"
 #include "PacketDumper.h"
 
@@ -58,8 +57,6 @@ double bro_start_network_time;	// timestamp of first packet
 double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 bool terminating = false;	// whether we're done reading and finishing up
 
-PacketSortGlobalPQ* packet_sorter = 0;
-
 const struct pcap_pkthdr* current_hdr = 0;
 const u_char* current_pkt = 0;
 int current_dispatched = 0;
@@ -286,9 +283,6 @@ void net_init(name_list& interfaces, name_list& readfiles,
 
 	init_ip_addr_anonymizers();
 
-	if ( packet_sort_window > 0 )
-		packet_sorter = new PacketSortGlobalPQ();
-
 	sessions = new NetSessions();
 
 	if ( do_watchdog )
@@ -313,7 +307,7 @@ void expire_timers(PktSrc* src_ps)
 
 void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int hdr_size,
-			PktSrc* src_ps, PacketSortElement* pkt_elem)
+			PktSrc* src_ps)
 	{
 	if ( ! bro_start_network_time )
 		bro_start_network_time = t;
@@ -351,7 +345,7 @@ void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 			}
 		}
 
-	sessions->DispatchPacket(t, hdr, pkt, hdr_size, src_ps, pkt_elem);
+	sessions->DispatchPacket(t, hdr, pkt, hdr_size, src_ps);
 	mgr.Drain();
 
 	if ( sp )
@@ -367,62 +361,11 @@ void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 	current_pktsrc = 0;
 	}
 
-int process_packet_sorter(double latest_packet_time)
-	{
-	if ( ! packet_sorter )
-		return 0;
-
-	double min_t = latest_packet_time - packet_sort_window;
-
-	int num_pkts_dispatched = 0;
-	PacketSortElement* pkt_elem;
-
-	// Dispatch packets in the packet_sorter until timestamp min_t.
-	// It's possible that zero or multiple packets are dispatched.
-	while ( (pkt_elem = packet_sorter->RemoveMin(min_t)) != 0 )
-		{
-		net_packet_dispatch(pkt_elem->TimeStamp(),
-			pkt_elem->Hdr(), pkt_elem->Pkt(),
-			pkt_elem->HdrSize(), pkt_elem->Src(),
-			pkt_elem);
-		++num_pkts_dispatched;
-		delete pkt_elem;
-		}
-
-	return num_pkts_dispatched;
-	}
-
-void net_packet_arrival(double t, const struct pcap_pkthdr* hdr,
-			const u_char* pkt, int hdr_size,
-			PktSrc* src_ps)
-	{
-	if ( packet_sorter )
-		{
-		// Note that when we enable packet sorter, there will
-		// be a small window between the time packet arrives
-		// to Bro and when it is processed ("dispatched").  We
-		// define network_time to be the latest timestamp for
-		// packets *dispatched* so far (usually that's the
-		// timestamp of the current packet).
-
-		// Add the packet to the packet_sorter.
-		packet_sorter->Add(
-			new PacketSortElement(src_ps, t, hdr, pkt, hdr_size));
-
-		// Do we have any packets to dispatch from packet_sorter?
-		process_packet_sorter(t);
-		}
-	else
-		// Otherwise we dispatch the packet immediately
-		net_packet_dispatch(t, hdr, pkt, hdr_size, src_ps, 0);
-	}
-
 void net_run()
 	{
 	set_processing_status("RUNNING", "net_run");
 
 	while ( io_sources.Size() ||
-		(packet_sorter && ! packet_sorter->Empty()) ||
 		(BifConst::exit_only_after_terminate && ! terminating) )
 		{
 		double ts;
@@ -445,14 +388,12 @@ void net_run()
 		current_iosrc = src;
 
 		if ( src )
-			src->Process();	// which will call net_packet_arrival()
+			src->Process();	// which will call net_packet_dispatch()
 
 		else if ( reading_live && ! pseudo_realtime)
 			{ // live but  no source is currently active
 			double ct = current_time();
-			if ( packet_sorter && ! packet_sorter->Empty() )
-				process_packet_sorter(ct);
-			else if ( ! net_is_processing_suspended() )
+			if ( ! net_is_processing_suspended() )
 				{
 				// Take advantage of the lull to get up to
 				// date on timers and events.
@@ -462,15 +403,6 @@ void net_run()
 				}
 			}
 
-		else if ( packet_sorter && ! packet_sorter->Empty() )
-			{
-			// We are no longer reading live; done with all the
-			// sources.
-			// Drain packets remaining in the packet sorter.
-			process_packet_sorter(
-				network_time + packet_sort_window + 1000000);
-			}
-
 		else if ( (have_pending_timers || using_communication) &&
 			  ! pseudo_realtime )
 			{
@@ -581,7 +513,6 @@ void net_delete()
 	set_processing_status("TERMINATING", "net_delete");
 
 	delete sessions;
-	delete packet_sorter;
 
 	for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
 		delete ip_anonymizer[i];
diff --git a/src/Net.h b/src/Net.h
index 07c856d1dd..b5b25b0cee 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -20,7 +20,7 @@ extern void net_run();
 extern void net_get_final_stats();
 extern void net_finish(int drain_events);
 extern void net_delete();	// Reclaim all memory, etc.
-extern void net_packet_arrival(double t, const struct pcap_pkthdr* hdr,
+extern void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int hdr_size,
 			PktSrc* src_ps);
 extern int net_packet_match(BPF_Program* fp, const u_char* pkt,
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 05a4e16b47..3e13728cd8 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -156,8 +156,6 @@ int table_incremental_step;
 
 RecordType* packet_type;
 
-double packet_sort_window;
-
 double connection_status_update_interval;
 
 StringVal* state_dir;
@@ -481,8 +479,6 @@ void init_net_var()
 
 	packet_type = internal_type("packet")->AsRecordType();
 
-	packet_sort_window = opt_internal_double("packet_sort_window");
-
 	orig_addr_anonymization = opt_internal_int("orig_addr_anonymization");
 	resp_addr_anonymization = opt_internal_int("resp_addr_anonymization");
 	other_addr_anonymization = opt_internal_int("other_addr_anonymization");
diff --git a/src/NetVar.h b/src/NetVar.h
index 8ef6571313..6a56e957ae 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -159,8 +159,6 @@ extern int table_incremental_step;
 
 extern RecordType* packet_type;
 
-extern double packet_sort_window;
-
 extern int orig_addr_anonymization, resp_addr_anonymization;
 extern int other_addr_anonymization;
 extern TableVal* preserve_orig_addr;
diff --git a/src/PacketSort.cc b/src/PacketSort.cc
deleted file mode 100644
index 429d8e2720..0000000000
--- a/src/PacketSort.cc
+++ /dev/null
@@ -1,364 +0,0 @@
-#include "IP.h"
-#include "PacketSort.h"
-
-const bool DEBUG_packetsort = false;
-
-PacketSortElement::PacketSortElement(PktSrc* arg_src,
-			double arg_timestamp, const struct pcap_pkthdr* arg_hdr,
-			const u_char* arg_pkt, int arg_hdr_size)
-	{
-	src = arg_src;
-	timestamp = arg_timestamp;
-	hdr = *arg_hdr;
-	hdr_size = arg_hdr_size;
-
-	pkt = new u_char[hdr.caplen];
-	memcpy(pkt, arg_pkt, hdr.caplen);
-
-	is_tcp = 0;
-	ip_hdr = 0;
-	tcp_flags = 0;
-	endp = 0;
-	payload_length = 0;
-	key = 0;
-
-	// Now check if it is a "parsable" TCP packet.
-	uint32 caplen = hdr.caplen;
-	uint32 tcp_offset;
-
-	if ( caplen >= sizeof(struct ip) + hdr_size )
-		{
-		const struct ip* ip = (const struct ip*) (pkt + hdr_size);
-		if ( ip->ip_v == 4 )
-			ip_hdr = new IP_Hdr(ip, false);
-		else if ( ip->ip_v == 6 && (caplen >= sizeof(struct ip6_hdr) + hdr_size) )
-			ip_hdr = new IP_Hdr((const struct ip6_hdr*) ip, false, caplen - hdr_size);
-		else
-			// Weird will be generated later in NetSessions::NextPacket.
-			return;
-
-		if ( ip_hdr->NextProto() == IPPROTO_TCP &&
-		      // Note: can't sort fragmented packets
-		     ( ! ip_hdr->IsFragment() ) )
-			{
-			tcp_offset = hdr_size + ip_hdr->HdrLen();
-			if ( caplen >= tcp_offset + sizeof(struct tcphdr) )
-				{
-				const struct tcphdr* tp = (const struct tcphdr*)
-							(pkt + tcp_offset);
-
-				id.src_addr = ip_hdr->SrcAddr();
-				id.dst_addr = ip_hdr->DstAddr();
-				id.src_port = tp->th_sport;
-				id.dst_port = tp->th_dport;
-				id.is_one_way = 0;
-
-				endp = addr_port_canon_lt(id.src_addr,
-							  id.src_port,
-							  id.dst_addr,
-							  id.dst_port) ? 0 : 1;
-
-				seq[endp] = ntohl(tp->th_seq);
-
-				if ( tp->th_flags & TH_ACK )
-					seq[1-endp] = ntohl(tp->th_ack);
-				else
-					seq[1-endp] = 0;
-
-				tcp_flags = tp->th_flags;
-
-				// DEBUG_MSG("%.6f: %u, %u\n", timestamp, seq[0], seq[1]);
-
-				payload_length = ip_hdr->PayloadLen() - tp->th_off * 4;
-
-				key = BuildConnIDHashKey(id);
-
-				is_tcp = 1;
-				}
-			}
-		}
-
-	if ( DEBUG_packetsort && ! is_tcp )
-		DEBUG_MSG("%.6f non-TCP packet\n", timestamp);
-	}
-
-PacketSortElement::~PacketSortElement()
-	{
-	delete [] pkt;
-	delete ip_hdr;
-	delete key;
-	}
-
-int PacketSortPQ::Timestamp_Cmp(PacketSortElement* a, PacketSortElement* b)
-	{
-	double d = a->timestamp - b->timestamp;
-
-	if ( d > 0 ) return 1;
-	else if ( d < 0 ) return -1;
-	else return 0;
-	}
-
-int PacketSortPQ::UpdatePQ(PacketSortElement* prev_e, PacketSortElement* new_e)
-	{
-	int index = prev_e->pq_index[pq_level];
-
-	new_e->pq_index[pq_level] = index;
-	pq[index] = new_e;
-
-	if ( Cmp(prev_e, new_e) > 0 )
-		return FixUp(new_e, index);
-	else
-		{
-		FixDown(new_e, index);
-		return index == 0;
-		}
-	}
-
-int PacketSortPQ::AddToPQ(PacketSortElement* new_e)
-	{
-	int index = pq.size();
-
-	new_e->pq_index[pq_level] = index;
-	pq.push_back(new_e);
-
-	return FixUp(new_e, index);
-	}
-
-int PacketSortPQ::RemoveFromPQ(PacketSortElement* prev_e)
-	{
-	if ( pq.size() > 1 )
-		{
-		PacketSortElement* new_e = pq[pq.size() - 1];
-		pq.pop_back();
-		return UpdatePQ(prev_e, new_e);		
-		}
-	else
-		{
-		pq.pop_back();
-		return 1;
-		}
-	}
-
-void PacketSortPQ::Assign(int k, PacketSortElement* e)
-	{
-	pq[k] = e;
-	e->pq_index[pq_level] = k;
-	}
-
-PacketSortConnPQ::~PacketSortConnPQ()
-	{
-	// Delete elements only in ConnPQ (not in GlobalPQ) to avoid
-	// double delete.
-	for ( int i = 0; i < (int) pq.size(); ++i )
-		{
-		delete pq[i];
-		pq[i] = 0;
-		}
-	}
-
-int PacketSortConnPQ::Cmp(PacketSortElement* a, PacketSortElement* b)
-	{
-	// Note: here we do not distinguish between packets without
-	// an ACK and packets with seq/ack of 0. The later will sorted
-	// only by their timestamps.
-
-	if ( a->seq[0] && b->seq[0] && a->seq[0] != b->seq[0] )
-		return (a->seq[0] > b->seq[0]) ? 1 : -1;
-
-	else if ( a->seq[1] && b->seq[1] && a->seq[1] != b->seq[1] )
-		return (a->seq[1] > b->seq[1]) ? 1 : -1;
-
-	else
-		return Timestamp_Cmp(a, b);
-	}
-
-int PacketSortPQ::FixUp(PacketSortElement* e, int k)
-	{
-	if ( k == 0 )
-		{
-		Assign(0, e);
-		return 1;
-		}
-
-	int parent = (k-1) / 2;
-	if ( Cmp(pq[parent], e) > 0 )
-		{
-		Assign(k, pq[parent]);
-		return FixUp(e, parent);
-		}
-	else
-		{
-		Assign(k, e);
-		return 0;
-		}
-	}
-
-void PacketSortPQ::FixDown(PacketSortElement* e, int k)
-	{
-	uint32 kid = k * 2 + 1;
-
-	if ( kid >= pq.size() )
-		{
-		Assign(k, e);
-		return;
-		}
-
-	if ( kid + 1 < pq.size() && Cmp(pq[kid], pq[kid+1]) > 0 )
-		++kid;
-
-	if ( Cmp(e, pq[kid]) > 0 )
-		{
-		Assign(k, pq[kid]);
-		FixDown(e, kid);
-		}
-	else
-		Assign(k, e);
-	}
-
-
-int PacketSortConnPQ::Add(PacketSortElement* e)
-	{
-#if 0
-	int endp = e->endp;
-	uint32 end_seq = e->seq[endp] + e->payload_length;
-
-	int p = 1 - endp;
-	if ( (e->tcp_flags & TH_RST) && ! (e->tcp_flags & TH_ACK) )
-		{
-		DEBUG_MSG("%.6f %c: %u -> %u\n",
-			  e->TimeStamp(), (p == endp) ? 'S' : 'A',
-			  e->seq[p], next_seq[p]);
-		e->seq[p] = next_seq[p];
-		}
-
-	if ( end_seq > next_seq[endp] )
-		next_seq[endp] = end_seq;
-#endif
-
-	return AddToPQ(e);
-	}
-
-void PacketSortConnPQ::UpdateDeliveredSeq(int endp, int seq, int len, int ack)
-	{
-	if ( delivered_seq[endp] == 0 || delivered_seq[endp] == seq )
-		delivered_seq[endp] = seq + len;
-	if ( ack > delivered_seq[1 - endp] )
-		delivered_seq[endp] = ack;
-	}
-
-bool PacketSortConnPQ::IsContentGapSafe(PacketSortElement* e)
-	{
-	int ack = e->seq[1 - e->endp];
-	return ack <= delivered_seq[1 - e->endp];
-	}
-
-int PacketSortConnPQ::Remove(PacketSortElement* e)
-	{
-	int ret = RemoveFromPQ(e);
-	UpdateDeliveredSeq(e->endp, e->seq[e->endp], e->payload_length,
-				e->seq[1 - e->endp]);
-	return ret;
-	}
-
-static void DeleteConnPQ(void* p)
-	{
-	delete (PacketSortConnPQ*) p;
-	}
-
-PacketSortGlobalPQ::PacketSortGlobalPQ()
-	{
-	pq_level = GLOBAL_PQ;
-	conn_pq_table.SetDeleteFunc(DeleteConnPQ);
-	}
-
-PacketSortGlobalPQ::~PacketSortGlobalPQ()
-	{
-	// Destruction of PacketSortConnPQ will delete all conn_pq's.
-	}
-
-int PacketSortGlobalPQ::Add(PacketSortElement* e)
-	{
-	if ( e->is_tcp )
-		{
-		// TCP packets are sorted by sequence numbers
-		PacketSortConnPQ* conn_pq = FindConnPQ(e);
-		PacketSortElement* prev_min = conn_pq->Min();
-
-		if ( conn_pq->Add(e) )
-			{
-			ASSERT(conn_pq->Min() != prev_min);
-
-			if ( prev_min )
-				return UpdatePQ(prev_min, e);
-			else
-				return AddToPQ(e);
-			}
-
-		else
-			{
-			ASSERT(conn_pq->Min() == prev_min);
-			return 0;
-			}
-		}
-	else
-		return AddToPQ(e);
-	}
-
-PacketSortElement* PacketSortGlobalPQ::RemoveMin(double timestamp)
-	{
-	PacketSortElement* e = Min();
-
-	if ( ! e )
-		return 0;
-
-	if ( e->is_tcp )
-		{
-		PacketSortConnPQ* conn_pq = FindConnPQ(e);
-
-#if 0
-		// Note: the content gap safety check does not work
-		// because we remove the state for a connection once
-		// it has no packet in the priority queue.
-
-		// Do not deliver e if it arrives later than timestamp,
-		// and is not content-gap-safe.
-		if ( e->timestamp > timestamp &&
-		     ! conn_pq->IsContentGapSafe(e) )
-			return 0;
-#else
-		if ( e->timestamp > timestamp )
-			return 0;
-#endif
-
-		conn_pq->Remove(e);
-		PacketSortElement* new_e = conn_pq->Min();
-
-		if ( new_e )
-			UpdatePQ(e, new_e);
-		else
-			{
-			RemoveFromPQ(e);
-			conn_pq_table.Remove(e->key);
-			delete conn_pq;
-			}
-		}
-	else
-		RemoveFromPQ(e);
-
-	return e;
-	}
-
-PacketSortConnPQ* PacketSortGlobalPQ::FindConnPQ(PacketSortElement* e)
-	{
-	if ( ! e->is_tcp )
-		reporter->InternalError("cannot find a connection for an invalid id");
-
-	PacketSortConnPQ* pq = (PacketSortConnPQ*) conn_pq_table.Lookup(e->key);
-	if ( ! pq )
-		{
-		pq = new PacketSortConnPQ();
-		conn_pq_table.Insert(e->key, pq);
-		}
-
-	return pq;
-	}
diff --git a/src/PacketSort.h b/src/PacketSort.h
deleted file mode 100644
index 199da0732f..0000000000
--- a/src/PacketSort.h
+++ /dev/null
@@ -1,132 +0,0 @@
-#ifndef packetsort_h
-#define packetsort_h
-
-// Timestamps can be imprecise and even inconsistent among packets
-// from different sources. This class tries to guess a "correct"
-// order by looking at TCP sequence numbers.
-//
-// In particular, it tries to eliminate "false" content gaps.
-
-#include "Dict.h"
-#include "Conn.h"
-
-enum {
-	CONN_PQ,
-	GLOBAL_PQ,
-	NUM_OF_PQ_LEVEL,
-};
-
-class PktSrc;
-
-class PacketSortElement {
-public:
-	PacketSortElement(PktSrc* src, double timestamp,
-				const struct pcap_pkthdr* hdr,
-				const u_char* pkt, int hdr_size);
-	~PacketSortElement();
-
-	PktSrc* Src() const			{ return src; }
-	double TimeStamp() const		{ return timestamp; }
-	const struct pcap_pkthdr* Hdr() const	{ return &hdr; }
-	const u_char* Pkt() const		{ return pkt; }
-	int HdrSize() const			{ return hdr_size; }
-	const IP_Hdr* IPHdr() const		{ return ip_hdr; }
-
-protected:
-	PktSrc* src;
-	double timestamp;
-	struct pcap_pkthdr hdr;
-	u_char* pkt;
-	int hdr_size;
-
-	IP_Hdr* ip_hdr;
-	int is_tcp;
-	ConnID id;
-	uint32 seq[2];	// indexed by endpoint
-	int tcp_flags;
-	int endp;	// 0 or 1
-	int payload_length;
-
-	HashKey* key;
-
-	int pq_index[NUM_OF_PQ_LEVEL];
-
-	friend class PacketSortPQ;
-	friend class PacketSortConnPQ;
-	friend class PacketSortGlobalPQ;
-};
-
-class PacketSortPQ {
-public:
-	PacketSortPQ()
-		{ pq_level = -1; }
-	virtual ~PacketSortPQ() {}
-
-	PacketSortElement* Min() const	{ return (pq.size() > 0) ? pq[0] : 0; }
-
-protected:
-	virtual int Cmp(PacketSortElement* a, PacketSortElement* b) = 0;
-	int Timestamp_Cmp(PacketSortElement* a, PacketSortElement* b);
-
-	int UpdatePQ(PacketSortElement* prev_e, PacketSortElement* new_e);
-	int AddToPQ(PacketSortElement* e);
-	int RemoveFromPQ(PacketSortElement* e);
-
-	void Assign(int k, PacketSortElement* e);
-	int FixUp(PacketSortElement* e, int k);
-	void FixDown(PacketSortElement* e, int k);
-
-	vector<PacketSortElement*> pq;
-	int pq_level;
-};
-
-// Sort by sequence numbers within a connection
-class PacketSortConnPQ : public PacketSortPQ {
-public:
-	PacketSortConnPQ()
-		{
-		pq_level = CONN_PQ;
-		delivered_seq[0] = delivered_seq[1] = 0;
-		}
-	~PacketSortConnPQ();
-
-	int Add(PacketSortElement* e);
-
-	int Remove(PacketSortElement* e);
-
-	bool IsContentGapSafe(PacketSortElement* e);
-
-protected:
-	int Cmp(PacketSortElement* a, PacketSortElement* b);
-	void UpdateDeliveredSeq(int endp, int seq, int len, int ack);
-
-	int delivered_seq[2];
-};
-
-declare(PDict, PacketSortConnPQ);
-
-// Sort by timestamps.
-class PacketSortGlobalPQ : public PacketSortPQ {
-public:
-	PacketSortGlobalPQ();
-	~PacketSortGlobalPQ();
-
-	int Add(PacketSortElement* e);
-
-	int Empty() const { return conn_pq_table.Length() == 0; }
-
-	// Returns the next packet to dispatch if it arrives earlier than the
-	// given timestamp, otherwise returns 0.
-	// The packet, if to be returned, is also removed from the
-	// priority queue.
-	PacketSortElement* RemoveMin(double timestamp);
-
-protected:
-	int Cmp(PacketSortElement* a, PacketSortElement* b)
-		{ return Timestamp_Cmp(a, b); }
-	PacketSortConnPQ* FindConnPQ(PacketSortElement* e);
-
-	PDict(PacketSortConnPQ) conn_pq_table;
-};
-
-#endif
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 179630cdbd..528f10f92c 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -220,6 +220,12 @@ void PktSrc::Process()
 		break;
 		}
 
+	case DLT_IEEE802_11:
+		{
+			printf("Here\n");
+			exit(0);
+		}
+
 	case DLT_EN10MB:
 		{
 		// Get protocol being carried from the ethernet frame.
@@ -317,13 +323,13 @@ void PktSrc::Process()
 	if ( pseudo_realtime )
 		{
 		current_pseudo = CheckPseudoTime();
-		net_packet_arrival(current_pseudo, &hdr, data, pkt_hdr_size, this);
+		net_packet_dispatch(current_pseudo, &hdr, data, pkt_hdr_size, this);
 		if ( ! first_wallclock )
 			first_wallclock = current_time(true);
 		}
 
 	else
-		net_packet_arrival(current_timestamp, &hdr, data, pkt_hdr_size, this);
+		net_packet_dispatch(current_timestamp, &hdr, data, pkt_hdr_size, this);
 
 	data = 0;
 	}
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index c8cf03667b..8d07f34d38 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -1466,7 +1466,7 @@ void RemoteSerializer::Process()
 		current_pkt = p->pkt;
 		current_pktsrc = 0;
 		current_iosrc = this;
-		sessions->NextPacket(p->time, p->hdr, p->pkt, p->hdr_size, 0);
+		sessions->NextPacket(p->time, p->hdr, p->pkt, p->hdr_size);
 		mgr.Drain();
 
 		current_hdr = 0;	// done with these
diff --git a/src/Sessions.cc b/src/Sessions.cc
index f7f2f37470..ec275a1689 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -30,7 +30,6 @@
 #include "Discard.h"
 #include "RuleMatcher.h"
 
-#include "PacketSort.h"
 #include "TunnelEncapsulation.h"
 
 #include "analyzer/Manager.h"
@@ -168,7 +167,7 @@ void NetSessions::Done()
 
 void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int hdr_size,
-			PktSrc* src_ps, PacketSortElement* pkt_elem)
+			PktSrc* src_ps)
 	{
 	const struct ip* ip_hdr = 0;
 	const u_char* ip_data = 0;
@@ -186,14 +185,13 @@ void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 		hdr_size += encap_hdr_size;
 
 	if ( src_ps->FilterType() == TYPE_FILTER_NORMAL )
-		NextPacket(t, hdr, pkt, hdr_size, pkt_elem);
+		NextPacket(t, hdr, pkt, hdr_size);
 	else
 		NextPacketSecondary(t, hdr, pkt, hdr_size, src_ps);
 	}
 
 void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
-			     const u_char* const pkt, int hdr_size,
-			     PacketSortElement* pkt_elem)
+			     const u_char* const pkt, int hdr_size)
 	{
 	SegmentProfiler(segment_logger, "processing-packet");
 	if ( pkt_profiler )
@@ -206,70 +204,58 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 	if ( record_all_packets )
 		DumpPacket(hdr, pkt);
 
-	if ( pkt_elem && pkt_elem->IPHdr() )
-		// Fast path for "normal" IP packets if an IP_Hdr is
-		// already extracted when doing PacketSort. Otherwise
-		// the code below tries to extract the IP header, the
-		// difference here is that header extraction in
-		// PacketSort does not generate Weird events.
+	// ### The following isn't really correct.  What we *should*
+	// do is understanding the different link layers in order to
+	// find the network-layer protocol ID.  That's a big
+	// portability pain, though, unless we just assume everything's
+	// Ethernet .... not great, given the potential need to deal
+	// with PPP or FDDI (for some older traces).  So instead
+	// we look to see if what we have is consistent with an
+	// IPv4 packet.  If not, it's either ARP or IPv6 or weird.
 
-		DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size, 0);
-
-	else
+	if ( hdr_size > static_cast<int>(hdr->caplen) )
 		{
-		// ### The following isn't really correct.  What we *should*
-		// do is understanding the different link layers in order to
-		// find the network-layer protocol ID.  That's a big
-		// portability pain, though, unless we just assume everything's
-		// Ethernet .... not great, given the potential need to deal
-		// with PPP or FDDI (for some older traces).  So instead
-		// we look to see if what we have is consistent with an
-		// IPv4 packet.  If not, it's either ARP or IPv6 or weird.
+		Weird("truncated_link_frame", hdr, pkt);
+		return;
+		}
 
-		if ( hdr_size > static_cast<int>(hdr->caplen) )
-			{
-			Weird("truncated_link_frame", hdr, pkt);
-			return;
-			}
+	uint32 caplen = hdr->caplen - hdr_size;
+	if ( caplen < sizeof(struct ip) )
+		{
+		Weird("truncated_IP", hdr, pkt);
+		return;
+		}
 
-		uint32 caplen = hdr->caplen - hdr_size;
-		if ( caplen < sizeof(struct ip) )
+	const struct ip* ip = (const struct ip*) (pkt + hdr_size);
+
+	if ( ip->ip_v == 4 )
+		{
+		IP_Hdr ip_hdr(ip, false);
+		DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
+		}
+
+	else if ( ip->ip_v == 6 )
+		{
+		if ( caplen < sizeof(struct ip6_hdr) )
 			{
 			Weird("truncated_IP", hdr, pkt);
 			return;
 			}
 
-		const struct ip* ip = (const struct ip*) (pkt + hdr_size);
+		IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size), false, caplen);
+		DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
+		}
 
-		if ( ip->ip_v == 4 )
-			{
-			IP_Hdr ip_hdr(ip, false);
-			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
-			}
+	else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) )
+		{
+		if ( arp_analyzer )
+			arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
+		}
 
-		else if ( ip->ip_v == 6 )
-			{
-			if ( caplen < sizeof(struct ip6_hdr) )
-				{
-				Weird("truncated_IP", hdr, pkt);
-				return;
-				}
-
-			IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size), false, caplen);
-			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
-			}
-
-		else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) )
-			{
-			if ( arp_analyzer )
-				arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
-			}
-
-		else
-			{
-			Weird("unknown_packet_type", hdr, pkt);
-			return;
-			}
+	else
+		{
+		Weird("unknown_packet_type", hdr, pkt);
+		return;
 		}
 
 	if ( dump_this_packet && ! record_all_packets )
diff --git a/src/Sessions.h b/src/Sessions.h
index e2dec3b1aa..06cdbca978 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -28,7 +28,6 @@ declare(PDict,FragReassembler);
 
 class Discarder;
 class PacketFilter;
-class PacketSortElement;
 
 namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
 namespace analyzer { namespace arp { class ARP_Analyzer; } }
@@ -74,7 +73,7 @@ public:
 	// employing the packet sorter first.
 	void DispatchPacket(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
-			PktSrc* src_ps, PacketSortElement* pkt_elem);
+			PktSrc* src_ps);
 
 	void Done();	// call to drain events before destructing
 
@@ -220,8 +219,7 @@ protected:
 				uint8 tcp_flags, bool& flip_roles);
 
 	void NextPacket(double t, const struct pcap_pkthdr* hdr,
-			const u_char* const pkt, int hdr_size,
-			PacketSortElement* pkt_elem);
+			const u_char* const pkt, int hdr_size);
 
 	void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr,
 			const u_char* const pkt, int hdr_size,
diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h
index f09dc6c398..83f447817e 100644
--- a/src/analyzer/protocol/arp/ARP.h
+++ b/src/analyzer/protocol/arp/ARP.h
@@ -24,7 +24,11 @@
 #endif
 
 #include "NetVar.h"
-#include "PacketSort.h"
+
+// for pcap_pkthdr
+extern "C" {
+#include <pcap.h>
+}
 
 namespace analyzer { namespace arp {
 

From 80c319b522dcad8f1ee41de52d9f962fb3e615d5 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 26 Feb 2014 14:47:40 -0800
Subject: [PATCH 060/220] adjust timings of a few leak tests.

Without the longer timeouts, these consistently fail for me
on caddy when doing "make test".
---
 testing/btest/core/leaks/ayiya.test          | 2 +-
 testing/btest/core/leaks/bloomfilter.bro     | 2 +-
 testing/btest/core/leaks/gridftp.test        | 2 +-
 testing/btest/core/leaks/gtp_opt_header.test | 2 +-
 testing/btest/core/leaks/input-reread.bro    | 8 ++++----
 testing/btest/core/leaks/teredo.bro          | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/testing/btest/core/leaks/ayiya.test b/testing/btest/core/leaks/ayiya.test
index 36e925951b..bf9f867cdd 100644
--- a/testing/btest/core/leaks/ayiya.test
+++ b/testing/btest/core/leaks/ayiya.test
@@ -5,4 +5,4 @@
 # @TEST-GROUP: leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/tunnels/ayiya3.trace
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
diff --git a/testing/btest/core/leaks/bloomfilter.bro b/testing/btest/core/leaks/bloomfilter.bro
index 6d9b74114e..e35294f98c 100644
--- a/testing/btest/core/leaks/bloomfilter.bro
+++ b/testing/btest/core/leaks/bloomfilter.bro
@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/wikipedia.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 function test_basic_bloom_filter()
   {
diff --git a/testing/btest/core/leaks/gridftp.test b/testing/btest/core/leaks/gridftp.test
index b9a0a70127..f0ba6cf8e6 100644
--- a/testing/btest/core/leaks/gridftp.test
+++ b/testing/btest/core/leaks/gridftp.test
@@ -5,7 +5,7 @@
 # @TEST-GROUP: leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/globus-url-copy.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/ftp/gridftp
 
diff --git a/testing/btest/core/leaks/gtp_opt_header.test b/testing/btest/core/leaks/gtp_opt_header.test
index 771e4b3861..4205766ee0 100644
--- a/testing/btest/core/leaks/gtp_opt_header.test
+++ b/testing/btest/core/leaks/gtp_opt_header.test
@@ -5,7 +5,7 @@
 # @TEST-GROUP: leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/tunnels/gtp/gtp6_gtp_0x32.pcap %INPUT >out
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 # Some GTPv1 headers have some optional fields totaling to a 4-byte extension
 # of the mandatory header.
diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro
index c6ff5361be..e9aab062d0 100644
--- a/testing/btest/core/leaks/input-reread.bro
+++ b/testing/btest/core/leaks/input-reread.bro
@@ -6,13 +6,13 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 30
 
diff --git a/testing/btest/core/leaks/teredo.bro b/testing/btest/core/leaks/teredo.bro
index 69c961fec4..a97172271e 100644
--- a/testing/btest/core/leaks/teredo.bro
+++ b/testing/btest/core/leaks/teredo.bro
@@ -5,7 +5,7 @@
 # @TEST-GROUP: leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/tunnels/Teredo.pcap %INPUT >output
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 function print_teredo(name: string, outer: connection, inner: teredo_hdr)
 	{

From 1735e33691dad0d500f024300a0c2dfb716a3fdc Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 28 Feb 2014 02:09:06 -0800
Subject: [PATCH 061/220] Backport crash fix that made it into master with the
 x509_extension backport from here.

---
 src/file_analysis/analyzer/x509/X509.cc | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 59ab644634..c2c2a0b8bc 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -163,10 +163,13 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	
 	BIO_flush(bio);
 	int length = BIO_pending(bio);
-	char *buffer = new char[length];
+
+	// Use OPENSSL_malloc here. Using new or anything else can lead
+	// to interesting, hard to debug segfaults.
+	char *buffer = (char*) OPENSSL_malloc(length);
 	BIO_read(bio, (void*)buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
-	delete(buffer);
+	OPENSSL_free(buffer);
 	BIO_free_all(bio);
 
 	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);						
@@ -189,16 +192,13 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 
 	mgr.QueueEvent(x509_extension, vl);
 
-
 	// look if we have a specialized handler for this event...
 	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) 
 		ParseBasicConstraints(ex);
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
 		ParseSAN(ex);
-
-	
-
 	}
+
 void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@@ -222,7 +222,6 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
 
 		}
-		
 	}
 
 void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) 

From 7ba6bcff2ca20c5d57244b7e6f11a22c95520819 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 28 Feb 2014 02:43:16 -0800
Subject: [PATCH 062/220] Second try on the event interface.

Now the x509 opaque is wrapped in the certificate structure. After
pondering on it for a bit, this might not be the brightest idea.
---
 scripts/base/files/x509/main.bro           |  6 +--
 scripts/base/init-bare.bro                 | 25 +-----------
 src/NetVar.cc                              |  6 ---
 src/NetVar.h                               |  3 --
 src/file_analysis/analyzer/x509/X509.cc    | 45 ++++++++++++++--------
 src/file_analysis/analyzer/x509/X509.h     | 11 +++---
 src/file_analysis/analyzer/x509/events.bif |  6 +--
 7 files changed, 40 insertions(+), 62 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 458a389934..d19327f07c 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -12,17 +12,17 @@ event x509_cert(f: fa_file, cert: X509::Certificate)
 	print cert;
 	}
 
-event x509_extension(f: fa_file, ext: X509::Extension)
+event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension)
 {
 print ext;
 }
 
-event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints)
+event x509_ext_basic_constraints(f: fa_file, cert: X509::Certificate, ext: X509::BasicConstraints)
 {
 print ext;
 }
 
-event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) 
+event x509_ext_subject_alternative_name(f: fa_file, cert: X509::Certificate, ext: X509::SubjectAlternativeName) 
 {
 print ext;
 }
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 8573fc2876..e4c1803fcb 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2420,29 +2420,6 @@ global dns_skip_all_addl = T &redef;
 ## traffic and do not process it.  Set to 0 to turn off this functionality.
 global dns_max_queries = 5;
 
-## An X509 certificate.
-##
-## .. bro:see:: x509_certificate
-type X509: record {
-	version: count;	##< Version number.
-	serial: string;	##< Serial number.
-	subject: string;	##< Subject.
-	issuer: string;	##< Issuer.
-	not_valid_before: time;	##< Timestamp before when certificate is not valid.
-	not_valid_after: time;	##< Timestamp after when certificate is not valid.
-};
-
-## An X509 extension.
-##
-## .. bro:see:: x509_extension
-type X509_extension_info: record {
-	name: string;	##< Long name of extension; oid if name not known.
-	short_name: string &optional;	##< Short name of extension if known.
-	oid: string;	##< Oid of extension.
-	critical: bool;	##< True if extension is critical.
-	value: string;	##< Extension content parsed to string for known extensions. Raw data otherwise.
-};
-
 ## HTTP session statistics.
 ##
 ## .. bro:see:: http_stats
@@ -2767,6 +2744,7 @@ export {
 module X509;
 export {
 	type X509::Certificate: record {
+		certificate: opaque of x509; ##< OpenSSL certificate reference
 		version: count;	##< Version number.
 		serial: string;	##< Serial number.
 		subject: string;	##< Subject.
@@ -2799,7 +2777,6 @@ export {
 	type X509::SubjectAlternativeName: record {
 		names: vector of string;
 	};
-
 }
 		
 module SOCKS;
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 05a4e16b47..2883adcf9f 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -47,9 +47,6 @@ int tcp_max_initial_window;
 int tcp_max_above_hole_without_any_acks;
 int tcp_excessive_data_without_further_acks;
 
-RecordType* x509_type;
-RecordType* x509_extension_type;
-
 RecordType* socks_address;
 
 double non_analyzed_lifetime;
@@ -356,9 +353,6 @@ void init_net_var()
 	tcp_excessive_data_without_further_acks =
 		opt_internal_int("tcp_excessive_data_without_further_acks");
 
-	x509_type = internal_type("X509")->AsRecordType();
-	x509_extension_type = internal_type("X509_extension_info")->AsRecordType();
-
 	socks_address = internal_type("SOCKS::Address")->AsRecordType();
 
 	non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime");
diff --git a/src/NetVar.h b/src/NetVar.h
index 8ef6571313..55f3955fa4 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -50,9 +50,6 @@ extern int tcp_max_initial_window;
 extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 
-extern RecordType* x509_type;
-extern RecordType* x509_extension_type;
-
 extern RecordType* socks_address;
 
 extern double non_analyzed_lifetime;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index c2c2a0b8bc..684f4f54ba 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -49,7 +49,7 @@ bool file_analysis::X509::EndOfFile()
 		return false;
 		}
 
-	ParseCertificate(ssl_cert);
+	RecordVal* cert_record = ParseCertificate(ssl_cert); // cert_record takes ownership of ssl_cert
 
 	// after parsing the certificate - parse the extensions...
 
@@ -60,37 +60,43 @@ bool file_analysis::X509::EndOfFile()
 		if ( !ex )
 			continue;
 
-		ParseExtension(ex);
+		ParseExtension(ex, cert_record);
 		}
 	
-	X509_free(ssl_cert);
+	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
+	// inside the X509Val that is sent on in the cert record to scriptland.
+	//
+	// The certificate will be freed when the last X509Val is Unref'd.
+	
+	Unref(cert_record); // Unref the RecordVal that we kept around from ParseCertificate
 
 	return false;
 	}
 
-void file_analysis::X509::ParseCertificate(::X509* ssl_cert) 
+RecordVal* file_analysis::X509::ParseCertificate(::X509* ssl_cert) 
 	{
 	char buf[256]; // we need a buffer for some of the openssl functions
-	memset(buf, 0, 256);	
+	memset(buf, 0, 256);
 	
 	RecordVal* pX509Cert = new RecordVal(BifType::Record::X509::Certificate);
 	BIO *bio = BIO_new(BIO_s_mem());
 
-	pX509Cert->Assign(0, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
+	pX509Cert->Assign(0, new X509Val(ssl_cert)); // take ownership for cleanup
+	pX509Cert->Assign(1, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
 	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
 	int len = BIO_read(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(1, new StringVal(len, buf));
+	pX509Cert->Assign(2, new StringVal(len, buf));
 
 	X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(2, new StringVal(len, buf));
+	pX509Cert->Assign(3, new StringVal(len, buf));
 	X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(3, new StringVal(len, buf));
+	pX509Cert->Assign(4, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(4, new Val(get_time_from_asn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
-	pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(6, new Val(get_time_from_asn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
@@ -137,12 +143,14 @@ void file_analysis::X509::ParseCertificate(::X509* ssl_cert)
 
 	val_list* vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Cert);
+	vl->append(pX509Cert->Ref()); // we Ref it here, because we want to keep a copy around for now...
 
 	mgr.QueueEvent(x509_cert, vl);
+
+	return pX509Cert;
 	}
 
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) 
+void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r) 
 	{
 	char name[256];
 	char oid[256];
@@ -188,18 +196,19 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	// but I am not sure if there is a better way to do it...
 	val_list* vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(r->Ref());
 	vl->append(pX509Ext);
 
 	mgr.QueueEvent(x509_extension, vl);
 
 	// look if we have a specialized handler for this event...
 	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) 
-		ParseBasicConstraints(ex);
+		ParseBasicConstraints(ex, r);
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex);
+		ParseSAN(ex, r);
 	}
 
-void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) 
+void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
 	
@@ -217,6 +226,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		}
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(r->Ref());
 		vl->append(pBasicConstraint);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
@@ -224,7 +234,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		}
 	}
 
-void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) 
+void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
 
@@ -268,6 +278,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(r->Ref());
 		vl->append(pSan);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 80bb68209e..f64aa3eb58 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -31,10 +31,10 @@ private:
 	static StringVal* key_curve(EVP_PKEY *key);
 	static unsigned int key_length(EVP_PKEY *key);
 
-	void ParseCertificate(::X509* ssl_cert);
-	void ParseExtension(X509_EXTENSION* ex);
-	void ParseBasicConstraints(X509_EXTENSION* ex);
-	void ParseSAN(X509_EXTENSION* ex);
+	RecordVal* ParseCertificate(::X509* ssl_cert);
+	void ParseExtension(X509_EXTENSION* ex, RecordVal* r);
+	void ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r);
+	void ParseSAN(X509_EXTENSION* ex, RecordVal* r);
 
 	std::string cert_data;
 };
@@ -55,7 +55,7 @@ public:
 	 *
 	 * @return A newly initialized X509Val
 	 */
-	X509Val(::X509* certificate);
+	explicit X509Val(::X509* certificate);
 
 	/**
 	 * Destructor.
@@ -84,5 +84,4 @@ private:
 
 }
 
-
 #endif
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 148d09ec00..2787746e0c 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
 event x509_cert%(f: fa_file, cert: X509::Certificate%);
-event x509_extension%(f: fa_file, ext: X509::Extension%);
-event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
-event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
+event x509_extension%(f: fa_file, cert: X509::Certificate, ext: X509::Extension%);
+event x509_ext_basic_constraints%(f: fa_file, cert: X509::Certificate, ext: X509::BasicConstraints%);
+event x509_ext_subject_alternative_name%(f: fa_file, cert: X509::Certificate, ext: X509::SubjectAlternativeName%);

From a1d91509641c1b5ed3808635dfc411f8be6ed39d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 28 Feb 2014 03:40:18 -0800
Subject: [PATCH 063/220] Update mozilla root bundle

---
 scripts/base/protocols/ssl/mozilla-ca-list.bro | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro
index d7c5578166..7450692fdd 100644
--- a/scripts/base/protocols/ssl/mozilla-ca-list.bro
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro
@@ -1,5 +1,5 @@
 # Don't edit!  This file is automatically generated.
-# Generated at: 2013-11-01 05:23:08 -0700
+# Generated at: 2014-02-28 03:34:22 -0800
 # Generated from: http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
 #
 # The original source file comes with this licensing statement:
@@ -11,7 +11,6 @@
 @load base/protocols/ssl
 module SSL;
 redef root_certs += {
-	["CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US"] = "\x30\x82\x02\x5A\x30\x82\x01\xC3\x02\x02\x01\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x39\x38\x30\x38\x31\x33\x30\x30\x32\x39\x30\x30\x5A\x17\x0D\x31\x38\x30\x38\x31\x33\x32\x33\x35\x39\x30\x30\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x47\x54\x45\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x2C\x20\x49\x6E\x63\x2E\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x47\x54\x45\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\x95\x0F\xA0\xB6\xF0\x50\x9C\xE8\x7A\xC7\x88\xCD\xDD\x17\x0E\x2E\xB0\x94\xD0\x1B\x3D\x0E\xF6\x94\xC0\x8A\x94\xC7\x06\xC8\x90\x97\xC8\xB8\x64\x1A\x7A\x7E\x6C\x3C\x53\xE1\x37\x28\x73\x60\x7F\xB2\x97\x53\x07\x9F\x53\xF9\x6D\x58\x94\xD2\xAF\x8D\x6D\x88\x67\x80\xE6\xED\xB2\x95\xCF\x72\x31\xCA\xA5\x1C\x72\xBA\x5C\x02\xE7\x64\x42\xE7\xF9\xA9\x2C\xD6\x3A\x0D\xAC\x8D\x42\xAA\x24\x01\x39\xE6\x9C\x3F\x01\x85\x57\x0D\x58\x87\x45\xF8\xD3\x85\xAA\x93\x69\x26\x85\x70\x48\x80\x3F\x12\x15\xC7\x79\xB4\x1F\x05\x2F\x3B\x62\x99\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x6D\xEB\x1B\x09\xE9\x5E\xD9\x51\xDB\x67\x22\x61\xA4\x2A\x3C\x48\x77\xE3\xA0\x7C\xA6\xDE\x73\xA2\x14\x03\x85\x3D\xFB\xAB\x0E\x30\xC5\x83\x16\x33\x81\x13\x08\x9E\x7B\x34\x4E\xDF\x40\xC8\x74\xD7\xB9\x7D\xDC\xF4\x76\x55\x7D\x9B\x63\x54\x18\xE9\xF0\xEA\xF3\x5C\xB1\xD9\x8B\x42\x1E\xB9\xC0\x95\x4E\xBA\xFA\xD5\xE2\x7C\xF5\x68\x61\xBF\x8E\xEC\x05\x97\x5F\x5B\xB0\xD7\xA3\x85\x34\xC4\x24\xA7\x0D\x0F\x95\x93\xEF\xCB\x94\xD8\x9E\x1F\x9D\x5C\x85\x6D\xC7\xAA\xAE\x4F\x1F\x22\xB5\xCD\x95\xAD\xBA\xA7\xCC\xF9\xAB\x0B\x7A\x7F",
 	["emailAddress=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"] = "\x30\x82\x03\x13\x30\x82\x02\x7C\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xC4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x54\x68\x61\x77\x74\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x73\x65\x72\x76\x65\x72\x2D\x63\x65\x72\x74\x73\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x36\x30\x38\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xC4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x54\x68\x61\x77\x74\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x73\x65\x72\x76\x65\x72\x2D\x63\x65\x72\x74\x73\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD3\xA4\x50\x6E\xC8\xFF\x56\x6B\xE6\xCF\x5D\xB6\xEA\x0C\x68\x75\x47\xA2\xAA\xC2\xDA\x84\x25\xFC\xA8\xF4\x47\x51\xDA\x85\xB5\x20\x74\x94\x86\x1E\x0F\x75\xC9\xE9\x08\x61\xF5\x06\x6D\x30\x6E\x15\x19\x02\xE9\x52\xC0\x62\xDB\x4D\x99\x9E\xE2\x6A\x0C\x44\x38\xCD\xFE\xBE\xE3\x64\x09\x70\xC5\xFE\xB1\x6B\x29\xB6\x2F\x49\xC8\x3B\xD4\x27\x04\x25\x10\x97\x2F\xE7\x90\x6D\xC0\x28\x42\x99\xD7\x4C\x43\xDE\xC3\xF5\x21\x6D\x54\x9F\x5D\xC3\x58\xE1\xC0\xE4\xD9\x5B\xB0\xB8\xDC\xB4\x7B\xDF\x36\x3A\xC2\xB5\x66\x22\x12\xD6\x87\x0D\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x07\xFA\x4C\x69\x5C\xFB\x95\xCC\x46\xEE\x85\x83\x4D\x21\x30\x8E\xCA\xD9\xA8\x6F\x49\x1A\xE6\xDA\x51\xE3\x60\x70\x6C\x84\x61\x11\xA1\x1A\xC8\x48\x3E\x59\x43\x7D\x4F\x95\x3D\xA1\x8B\xB7\x0B\x62\x98\x7A\x75\x8A\xDD\x88\x4E\x4E\x9E\x40\xDB\xA8\xCC\x32\x74\xB9\x6F\x0D\xC6\xE3\xB3\x44\x0B\xD9\x8A\x6F\x9A\x29\x9B\x99\x18\x28\x3B\xD1\xE3\x40\x28\x9A\x5A\x3C\xD5\xB5\xE7\x20\x1B\x8B\xCA\xA4\xAB\x8D\xE9\x51\xD9\xE2\x4C\x2C\x59\xA9\xDA\xB9\xB2\x75\x1B\xF6\x42\xF2\xEF\xC7\xF2\x18\xF9\x89\xBC\xA3\xFF\x8A\x23\x2E\x70\x47",
 	["emailAddress=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA"] = "\x30\x82\x03\x27\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xCE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x54\x68\x61\x77\x74\x65\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x28\x30\x26\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x19\x70\x72\x65\x6D\x69\x75\x6D\x2D\x73\x65\x72\x76\x65\x72\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x36\x30\x38\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x5A\x41\x31\x15\x30\x13\x06\x03\x55\x04\x08\x13\x0C\x57\x65\x73\x74\x65\x72\x6E\x20\x43\x61\x70\x65\x31\x12\x30\x10\x06\x03\x55\x04\x07\x13\x09\x43\x61\x70\x65\x20\x54\x6F\x77\x6E\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x13\x14\x54\x68\x61\x77\x74\x65\x20\x43\x6F\x6E\x73\x75\x6C\x74\x69\x6E\x67\x20\x63\x63\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x54\x68\x61\x77\x74\x65\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x31\x28\x30\x26\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x19\x70\x72\x65\x6D\x69\x75\x6D\x2D\x73\x65\x72\x76\x65\x72\x40\x74\x68\x61\x77\x74\x65\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD2\x36\x36\x6A\x8B\xD7\xC2\x5B\x9E\xDA\x81\x41\x62\x8F\x38\xEE\x49\x04\x55\xD6\xD0\xEF\x1C\x1B\x95\x16\x47\xEF\x18\x48\x35\x3A\x52\xF4\x2B\x6A\x06\x8F\x3B\x2F\xEA\x56\xE3\xAF\x86\x8D\x9E\x17\xF7\x9E\xB4\x65\x75\x02\x4D\xEF\xCB\x09\xA2\x21\x51\xD8\x9B\xD0\x67\xD0\xBA\x0D\x92\x06\x14\x73\xD4\x93\xCB\x97\x2A\x00\x9C\x5C\x4E\x0C\xBC\xFA\x15\x52\xFC\xF2\x44\x6E\xDA\x11\x4A\x6E\x08\x9F\x2F\x2D\xE3\xF9\xAA\x3A\x86\x73\xB6\x46\x53\x58\xC8\x89\x05\xBD\x83\x11\xB8\x73\x3F\xAA\x07\x8D\xF4\x42\x4D\xE7\x40\x9D\x1C\x37\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x26\x48\x2C\x16\xC2\x58\xFA\xE8\x16\x74\x0C\xAA\xAA\x5F\x54\x3F\xF2\xD7\xC9\x78\x60\x5E\x5E\x6E\x37\x63\x22\x77\x36\x7E\xB2\x17\xC4\x34\xB9\xF5\x08\x85\xFC\xC9\x01\x38\xFF\x4D\xBE\xF2\x16\x42\x43\xE7\xBB\x5A\x46\xFB\xC1\xC6\x11\x1F\xF1\x4A\xB0\x28\x46\xC9\xC3\xC4\x42\x7D\xBC\xFA\xAB\x59\x6E\xD5\xB7\x51\x88\x11\xE3\xA4\x85\x19\x6B\x82\x4C\xA4\x0C\x12\xAD\xE9\xA4\xAE\x3F\xF1\xC3\x49\x65\x9A\x8C\xC5\xC8\x3E\x25\xB7\x94\x99\xBB\x92\x32\x71\x07\xF0\x86\x5E\xED\x50\x27\xA6\x0D\xA6\x23\xF9\xBB\xCB\xA6\x07\x14\x42",
 	["OU=Equifax Secure Certificate Authority,O=Equifax,C=US"] = "\x30\x82\x03\x20\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x04\x35\xDE\xF4\xCF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x17\x0D\x31\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC1\x5D\xB1\x58\x67\x08\x62\xEE\xA0\x9A\x2D\x1F\x08\x6D\x91\x14\x68\x98\x0A\x1E\xFE\xDA\x04\x6F\x13\x84\x62\x21\xC3\xD1\x7C\xCE\x9F\x05\xE0\xB8\x01\xF0\x4E\x34\xEC\xE2\x8A\x95\x04\x64\xAC\xF1\x6B\x53\x5F\x05\xB3\xCB\x67\x80\xBF\x42\x02\x8E\xFE\xDD\x01\x09\xEC\xE1\x00\x14\x4F\xFC\xFB\xF0\x0C\xDD\x43\xBA\x5B\x2B\xE1\x1F\x80\x70\x99\x15\x57\x93\x16\xF1\x0F\x97\x6A\xB7\xC2\x68\x23\x1C\xCC\x4D\x59\x30\xAC\x51\x1E\x3B\xAF\x2B\xD6\xEE\x63\x45\x7B\xC5\xD9\x5F\x50\xD2\xE3\x50\x0F\x3A\x88\xE7\xBF\x14\xFD\xE0\xC7\xB9\x02\x03\x01\x00\x01\xA3\x82\x01\x09\x30\x82\x01\x05\x30\x70\x06\x03\x55\x1D\x1F\x04\x69\x30\x67\x30\x65\xA0\x63\xA0\x61\xA4\x5F\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x45\x71\x75\x69\x66\x61\x78\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x1A\x06\x03\x55\x1D\x10\x04\x13\x30\x11\x81\x0F\x32\x30\x31\x38\x30\x38\x32\x32\x31\x36\x34\x31\x35\x31\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x48\xE6\x68\xF9\x2B\xD2\xB2\x95\xD7\x47\xD8\x23\x20\x10\x4F\x33\x98\x90\x9F\xD4\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x48\xE6\x68\xF9\x2B\xD2\xB2\x95\xD7\x47\xD8\x23\x20\x10\x4F\x33\x98\x90\x9F\xD4\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x1A\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0D\x30\x0B\x1B\x05\x56\x33\x2E\x30\x63\x03\x02\x06\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x58\xCE\x29\xEA\xFC\xF7\xDE\xB5\xCE\x02\xB9\x17\xB5\x85\xD1\xB9\xE3\xE0\x95\xCC\x25\x31\x0D\x00\xA6\x92\x6E\x7F\xB6\x92\x63\x9E\x50\x95\xD1\x9A\x6F\xE4\x11\xDE\x63\x85\x6E\x98\xEE\xA8\xFF\x5A\xC8\xD3\x55\xB2\x66\x71\x57\xDE\xC0\x21\xEB\x3D\x2A\xA7\x23\x49\x01\x04\x86\x42\x7B\xFC\xEE\x7F\xA2\x16\x52\xB5\x67\x67\xD3\x40\xDB\x3B\x26\x58\xB2\x28\x77\x3D\xAE\x14\x77\x61\xD6\xFA\x2A\x66\x27\xA0\x0D\xFA\xA7\x73\x5C\xEA\x70\xF1\x94\x21\x65\x44\x5F\xFA\xFC\xEF\x29\x68\xA9\xA2\x87\x79\xEF\x79\xEF\x4F\xAC\x07\x77\x38",
@@ -19,12 +18,8 @@ redef root_certs += {
 	["OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x02\x30\x82\x02\x6B\x02\x10\x7D\xD9\xFE\x07\xCF\xA8\x1E\xB7\x10\x79\x67\xFB\xA7\x89\x34\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x1E\x17\x0D\x39\x38\x30\x35\x31\x38\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xC1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x3C\x30\x3A\x06\x03\x55\x04\x0B\x13\x33\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x32\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x38\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xCC\x5E\xD1\x11\x5D\x5C\x69\xD0\xAB\xD3\xB9\x6A\x4C\x99\x1F\x59\x98\x30\x8E\x16\x85\x20\x46\x6D\x47\x3F\xD4\x85\x20\x84\xE1\x6D\xB3\xF8\xA4\xED\x0C\xF1\x17\x0F\x3B\xF9\xA7\xF9\x25\xD7\xC1\xCF\x84\x63\xF2\x7C\x63\xCF\xA2\x47\xF2\xC6\x5B\x33\x8E\x64\x40\x04\x68\xC1\x80\xB9\x64\x1C\x45\x77\xC7\xD8\x6E\xF5\x95\x29\x3C\x50\xE8\x34\xD7\x78\x1F\xA8\xBA\x6D\x43\x91\x95\x8F\x45\x57\x5E\x7E\xC5\xFB\xCA\xA4\x04\xEB\xEA\x97\x37\x54\x30\x6F\xBB\x01\x47\x32\x33\xCD\xDC\x57\x9B\x64\x69\x61\xF8\x9B\x1D\x1C\x89\x4F\x5C\x67\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x51\x4D\xCD\xBE\x5C\xCB\x98\x19\x9C\x15\xB2\x01\x39\x78\x2E\x4D\x0F\x67\x70\x70\x99\xC6\x10\x5A\x94\xA4\x53\x4D\x54\x6D\x2B\xAF\x0D\x5D\x40\x8B\x64\xD3\xD7\xEE\xDE\x56\x61\x92\x5F\xA6\xC4\x1D\x10\x61\x36\xD3\x2C\x27\x3C\xE8\x29\x09\xB9\x11\x64\x74\xCC\xB5\x73\x9F\x1C\x48\xA9\xBC\x61\x01\xEE\xE2\x17\xA6\x0C\xE3\x40\x08\x3B\x0E\xE7\xEB\x44\x73\x2A\x9A\xF1\x69\x92\xEF\x71\x14\xC3\x39\xAC\x71\xA7\x91\x09\x6F\xE4\x71\x06\xB3\xBA\x59\x57\x26\x79\x00\xF6\xF8\x0D\xA2\x33\x30\x28\xD4\xAA\x58\xA0\x9D\x9D\x69\x91\xFD",
 	["CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE"] = "\x30\x82\x03\x75\x30\x82\x02\x5D\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x15\x4B\x5A\xC3\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x39\x38\x30\x39\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x31\x32\x38\x31\x32\x30\x30\x30\x30\x5A\x30\x57\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x45\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x6E\x76\x2D\x73\x61\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\x0E\xE6\x99\x8D\xCE\xA3\xE3\x4F\x8A\x7E\xFB\xF1\x8B\x83\x25\x6B\xEA\x48\x1F\xF1\x2A\xB0\xB9\x95\x11\x04\xBD\xF0\x63\xD1\xE2\x67\x66\xCF\x1C\xDD\xCF\x1B\x48\x2B\xEE\x8D\x89\x8E\x9A\xAF\x29\x80\x65\xAB\xE9\xC7\x2D\x12\xCB\xAB\x1C\x4C\x70\x07\xA1\x3D\x0A\x30\xCD\x15\x8D\x4F\xF8\xDD\xD4\x8C\x50\x15\x1C\xEF\x50\xEE\xC4\x2E\xF7\xFC\xE9\x52\xF2\x91\x7D\xE0\x6D\xD5\x35\x30\x8E\x5E\x43\x73\xF2\x41\xE9\xD5\x6A\xE3\xB2\x89\x3A\x56\x39\x38\x6F\x06\x3C\x88\x69\x5B\x2A\x4D\xC5\xA7\x54\xB8\x6C\x89\xCC\x9B\xF9\x3C\xCA\xE5\xFD\x89\xF5\x12\x3C\x92\x78\x96\xD6\xDC\x74\x6E\x93\x44\x61\xD1\x8D\xC7\x46\xB2\x75\x0E\x86\xE8\x19\x8A\xD5\x6D\x6C\xD5\x78\x16\x95\xA2\xE9\xC8\x0A\x38\xEB\xF2\x24\x13\x4F\x73\x54\x93\x13\x85\x3A\x1B\xBC\x1E\x34\xB5\x8B\x05\x8C\xB9\x77\x8B\xB1\xDB\x1F\x20\x91\xAB\x09\x53\x6E\x90\xCE\x7B\x37\x74\xB9\x70\x47\x91\x22\x51\x63\x16\x79\xAE\xB1\xAE\x41\x26\x08\xC8\x19\x2B\xD1\x46\xAA\x48\xD6\x64\x2A\xD7\x83\x34\xFF\x2C\x2A\xC1\x6C\x19\x43\x4A\x07\x85\xE7\xD3\x7C\xF6\x21\x68\xEF\xEA\xF2\x52\x9F\x7F\x93\x90\xCF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x60\x7B\x66\x1A\x45\x0D\x97\xCA\x89\x50\x2F\x7D\x04\xCD\x34\xA8\xFF\xFC\xFD\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD6\x73\xE7\x7C\x4F\x76\xD0\x8D\xBF\xEC\xBA\xA2\xBE\x34\xC5\x28\x32\xB5\x7C\xFC\x6C\x9C\x2C\x2B\xBD\x09\x9E\x53\xBF\x6B\x5E\xAA\x11\x48\xB6\xE5\x08\xA3\xB3\xCA\x3D\x61\x4D\xD3\x46\x09\xB3\x3E\xC3\xA0\xE3\x63\x55\x1B\xF2\xBA\xEF\xAD\x39\xE1\x43\xB9\x38\xA3\xE6\x2F\x8A\x26\x3B\xEF\xA0\x50\x56\xF9\xC6\x0A\xFD\x38\xCD\xC4\x0B\x70\x51\x94\x97\x98\x04\xDF\xC3\x5F\x94\xD5\x15\xC9\x14\x41\x9C\xC4\x5D\x75\x64\x15\x0D\xFF\x55\x30\xEC\x86\x8F\xFF\x0D\xEF\x2C\xB9\x63\x46\xF6\xAA\xFC\xDF\xBC\x69\xFD\x2E\x12\x48\x64\x9A\xE0\x95\xF0\xA6\xEF\x29\x8F\x01\xB1\x15\xB5\x0C\x1D\xA5\xFE\x69\x2C\x69\x24\x78\x1E\xB3\xA7\x1C\x71\x62\xEE\xCA\xC8\x97\xAC\x17\x5D\x8A\xC2\xF8\x47\x86\x6E\x2A\xC4\x56\x31\x95\xD0\x67\x89\x85\x2B\xF9\x6C\xA6\x5D\x46\x9D\x0C\xAA\x82\xE4\x99\x51\xDD\x70\xB7\xDB\x56\x3D\x61\xE4\x6A\xE1\x5C\xD6\xF6\xFE\x3D\xDE\x41\xCC\x07\xAE\x63\x52\xBF\x53\x53\xF4\x2B\xE9\xC7\xFD\xB6\xF7\x82\x5F\x85\xD2\x41\x18\xDB\x81\xB3\x04\x1C\xC5\x1F\xA4\x80\x6F\x15\x20\xC9\xDE\x0C\x88\x0A\x1D\xD6\x66\x55\xE2\xFC\x48\xC9\x29\x26\x69\xE0",
 	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2"] = "\x30\x82\x03\xBA\x30\x82\x02\xA2\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x0F\x86\x26\xE6\x0D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x32\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x36\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x17\x0D\x32\x31\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x32\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA6\xCF\x24\x0E\xBE\x2E\x6F\x28\x99\x45\x42\xC4\xAB\x3E\x21\x54\x9B\x0B\xD3\x7F\x84\x70\xFA\x12\xB3\xCB\xBF\x87\x5F\xC6\x7F\x86\xD3\xB2\x30\x5C\xD6\xFD\xAD\xF1\x7B\xDC\xE5\xF8\x60\x96\x09\x92\x10\xF5\xD0\x53\xDE\xFB\x7B\x7E\x73\x88\xAC\x52\x88\x7B\x4A\xA6\xCA\x49\xA6\x5E\xA8\xA7\x8C\x5A\x11\xBC\x7A\x82\xEB\xBE\x8C\xE9\xB3\xAC\x96\x25\x07\x97\x4A\x99\x2A\x07\x2F\xB4\x1E\x77\xBF\x8A\x0F\xB5\x02\x7C\x1B\x96\xB8\xC5\xB9\x3A\x2C\xBC\xD6\x12\xB9\xEB\x59\x7D\xE2\xD0\x06\x86\x5F\x5E\x49\x6A\xB5\x39\x5E\x88\x34\xEC\xBC\x78\x0C\x08\x98\x84\x6C\xA8\xCD\x4B\xB4\xA0\x7D\x0C\x79\x4D\xF0\xB8\x2D\xCB\x21\xCA\xD5\x6C\x5B\x7D\xE1\xA0\x29\x84\xA1\xF9\xD3\x94\x49\xCB\x24\x62\x91\x20\xBC\xDD\x0B\xD5\xD9\xCC\xF9\xEA\x27\x0A\x2B\x73\x91\xC6\x9D\x1B\xAC\xC8\xCB\xE8\xE0\xA0\xF4\x2F\x90\x8B\x4D\xFB\xB0\x36\x1B\xF6\x19\x7A\x85\xE0\x6D\xF2\x61\x13\x88\x5C\x9F\xE0\x93\x0A\x51\x97\x8A\x5A\xCE\xAF\xAB\xD5\xF7\xAA\x09\xAA\x60\xBD\xDC\xD9\x5F\xDF\x72\xA9\x60\x13\x5E\x00\x01\xC9\x4A\xFA\x3F\xA4\xEA\x07\x03\x21\x02\x8E\x82\xCA\x03\xC2\x9B\x8F\x02\x03\x01\x00\x01\xA3\x81\x9C\x30\x81\x99\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9B\xE2\x07\x57\x67\x1C\x1E\xC0\x6A\x06\xDE\x59\xB4\x9A\x2D\xDF\xDC\x19\x86\x2E\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x67\x6C\x6F\x62\x61\x6C\x73\x69\x67\x6E\x2E\x6E\x65\x74\x2F\x72\x6F\x6F\x74\x2D\x72\x32\x2E\x63\x72\x6C\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x9B\xE2\x07\x57\x67\x1C\x1E\xC0\x6A\x06\xDE\x59\xB4\x9A\x2D\xDF\xDC\x19\x86\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x99\x81\x53\x87\x1C\x68\x97\x86\x91\xEC\xE0\x4A\xB8\x44\x0B\xAB\x81\xAC\x27\x4F\xD6\xC1\xB8\x1C\x43\x78\xB3\x0C\x9A\xFC\xEA\x2C\x3C\x6E\x61\x1B\x4D\x4B\x29\xF5\x9F\x05\x1D\x26\xC1\xB8\xE9\x83\x00\x62\x45\xB6\xA9\x08\x93\xB9\xA9\x33\x4B\x18\x9A\xC2\xF8\x87\x88\x4E\xDB\xDD\x71\x34\x1A\xC1\x54\xDA\x46\x3F\xE0\xD3\x2A\xAB\x6D\x54\x22\xF5\x3A\x62\xCD\x20\x6F\xBA\x29\x89\xD7\xDD\x91\xEE\xD3\x5C\xA2\x3E\xA1\x5B\x41\xF5\xDF\xE5\x64\x43\x2D\xE9\xD5\x39\xAB\xD2\xA2\xDF\xB7\x8B\xD0\xC0\x80\x19\x1C\x45\xC0\x2D\x8C\xE8\xF8\x2D\xA4\x74\x56\x49\xC5\x05\xB5\x4F\x15\xDE\x6E\x44\x78\x39\x87\xA8\x7E\xBB\xF3\x79\x18\x91\xBB\xF4\x6F\x9D\xC1\xF0\x8C\x35\x8C\x5D\x01\xFB\xC3\x6D\xB9\xEF\x44\x6D\x79\x46\x31\x7E\x0A\xFE\xA9\x82\xC1\xFF\xEF\xAB\x6E\x20\xC4\x50\xC9\x5F\x9D\x4D\x9B\x17\x8C\x0C\xE5\x01\xC9\xA0\x41\x6A\x73\x53\xFA\xA5\x50\xB4\x6E\x25\x0F\xFB\x4C\x18\xF4\xFD\x52\xD9\x8E\x69\xB1\xE8\x11\x0F\xDE\x88\xD8\xFB\x1D\x49\xF7\xAA\xDE\x95\xCF\x20\x78\xC2\x60\x12\xDB\x25\x40\x8C\x6A\xFC\x7E\x42\x38\x40\x64\x12\xF7\x9E\x81\xE1\x93\x2E",
-	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 1 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x35\x32\x32\x32\x33\x34\x38\x5A\x17\x0D\x31\x39\x30\x36\x32\x35\x32\x32\x32\x33\x34\x38\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xD8\x59\x82\x7A\x89\xB8\x96\xBA\xA6\x2F\x68\x6F\x58\x2E\xA7\x54\x1C\x06\x6E\xF4\xEA\x8D\x48\xBC\x31\x94\x17\xF0\xF3\x4E\xBC\xB2\xB8\x35\x92\x76\xB0\xD0\xA5\xA5\x01\xD7\x00\x03\x12\x22\x19\x08\xF8\xFF\x11\x23\x9B\xCE\x07\xF5\xBF\x69\x1A\x26\xFE\x4E\xE9\xD1\x7F\x9D\x2C\x40\x1D\x59\x68\x6E\xA6\xF8\x58\xB0\x9D\x1A\x8F\xD3\x3F\xF1\xDC\x19\x06\x81\xA8\x0E\xE0\x3A\xDD\xC8\x53\x45\x09\x06\xE6\x0F\x70\xC3\xFA\x40\xA6\x0E\xE2\x56\x05\x0F\x18\x4D\xFC\x20\x82\xD1\x73\x55\x74\x8D\x76\x72\xA0\x1D\x9D\x1D\xC0\xDD\x3F\x71\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x50\x68\x3D\x49\xF4\x2C\x1C\x06\x94\xDF\x95\x60\x7F\x96\x7B\x17\xFE\x4F\x71\xAD\x64\xC8\xDD\x77\xD2\xEF\x59\x55\xE8\x3F\xE8\x8E\x05\x2A\x21\xF2\x07\xD2\xB5\xA7\x52\xFE\x9C\xB1\xB6\xE2\x5B\x77\x17\x40\xEA\x72\xD6\x23\xCB\x28\x81\x32\xC3\x00\x79\x18\xEC\x59\x17\x89\xC9\xC6\x6A\x1E\x71\xC9\xFD\xB7\x74\xA5\x25\x45\x69\xC5\x48\xAB\x19\xE1\x45\x8A\x25\x6B\x19\xEE\xE5\xBB\x12\xF5\x7F\xF7\xA6\x8D\x51\xC3\xF0\x9D\x74\xB7\xA9\x3E\xA0\xA5\xFF\xB6\x49\x03\x13\xDA\x22\xCC\xED\x71\x82\x2B\x99\xCF\x3A\xB7\xF5\x2D\x72\xC8",
-	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x36\x30\x30\x31\x39\x35\x34\x5A\x17\x0D\x31\x39\x30\x36\x32\x36\x30\x30\x31\x39\x35\x34\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xCE\x3A\x71\xCA\xE5\xAB\xC8\x59\x92\x55\xD7\xAB\xD8\x74\x0E\xF9\xEE\xD9\xF6\x55\x47\x59\x65\x47\x0E\x05\x55\xDC\xEB\x98\x36\x3C\x5C\x53\x5D\xD3\x30\xCF\x38\xEC\xBD\x41\x89\xED\x25\x42\x09\x24\x6B\x0A\x5E\xB3\x7C\xDD\x52\x2D\x4C\xE6\xD4\xD6\x7D\x5A\x59\xA9\x65\xD4\x49\x13\x2D\x24\x4D\x1C\x50\x6F\xB5\xC1\x85\x54\x3B\xFE\x71\xE4\xD3\x5C\x42\xF9\x80\xE0\x91\x1A\x0A\x5B\x39\x36\x67\xF3\x3F\x55\x7C\x1B\x3F\xB4\x5F\x64\x73\x34\xE3\xB4\x12\xBF\x87\x64\xF8\xDA\x12\xFF\x37\x27\xC1\xB3\x43\xBB\xEF\x7B\x6E\x2E\x69\xF7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x3B\x7F\x50\x6F\x6F\x50\x94\x99\x49\x62\x38\x38\x1F\x4B\xF8\xA5\xC8\x3E\xA7\x82\x81\xF6\x2B\xC7\xE8\xC5\xCE\xE8\x3A\x10\x82\xCB\x18\x00\x8E\x4D\xBD\xA8\x58\x7F\xA1\x79\x00\xB5\xBB\xE9\x8D\xAF\x41\xD9\x0F\x34\xEE\x21\x81\x19\xA0\x32\x49\x28\xF4\xC4\x8E\x56\xD5\x52\x33\xFD\x50\xD5\x7E\x99\x6C\x03\xE4\xC9\x4C\xFC\xCB\x6C\xAB\x66\xB3\x4A\x21\x8C\xE5\xB5\x0C\x32\x3E\x10\xB2\xCC\x6C\xA1\xDC\x9A\x98\x4C\x02\x5B\xF3\xCE\xB9\x9E\xA5\x72\x0E\x4A\xB7\x3F\x3C\xE6\x16\x68\xF8\xBE\xED\x74\x4C\xBC\x5B\xD5\x62\x1F\x43\xDD",
-	["emailAddress=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 3 Policy Validation Authority,O=ValiCert\, Inc.,L=ValiCert Validation Network"] = "\x30\x82\x02\xE7\x30\x82\x02\x50\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x36\x30\x30\x32\x32\x33\x33\x5A\x17\x0D\x31\x39\x30\x36\x32\x36\x30\x30\x32\x32\x33\x33\x5A\x30\x81\xBB\x31\x24\x30\x22\x06\x03\x55\x04\x07\x13\x1B\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x61\x6C\x69\x43\x65\x72\x74\x2C\x20\x49\x6E\x63\x2E\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x61\x6C\x69\x43\x65\x72\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x6F\x6C\x69\x63\x79\x20\x56\x61\x6C\x69\x64\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x2F\x31\x20\x30\x1E\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x11\x69\x6E\x66\x6F\x40\x76\x61\x6C\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xE3\x98\x51\x96\x1C\xE8\xD5\xB1\x06\x81\x6A\x57\xC3\x72\x75\x93\xAB\xCF\x9E\xA6\xFC\xF3\x16\x52\xD6\x2D\x4D\x9F\x35\x44\xA8\x2E\x04\x4D\x07\x49\x8A\x38\x29\xF5\x77\x37\xE7\xB7\xAB\x5D\xDF\x36\x71\x14\x99\x8F\xDC\xC2\x92\xF1\xE7\x60\x92\x97\xEC\xD8\x48\xDC\xBF\xC1\x02\x20\xC6\x24\xA4\x28\x4C\x30\x5A\x76\x6D\xB1\x5C\xF3\xDD\xDE\x9E\x10\x71\xA1\x88\xC7\x5B\x9B\x41\x6D\xCA\xB0\xB8\x8E\x15\xEE\xAD\x33\x2B\xCF\x47\x04\x5C\x75\x71\x0A\x98\x24\x98\x29\xA7\x49\x59\xA5\xDD\xF8\xB7\x43\x62\x61\xF3\xD3\xE2\xD0\x55\x3F\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x56\xBB\x02\x58\x84\x67\x08\x2C\xDF\x1F\xDB\x7B\x49\x33\xF5\xD3\x67\x9D\xF4\xB4\x0A\x10\xB3\xC9\xC5\x2C\xE2\x92\x6A\x71\x78\x27\xF2\x70\x83\x42\xD3\x3E\xCF\xA9\x54\xF4\xF1\xD8\x92\x16\x8C\xD1\x04\xCB\x4B\xAB\xC9\x9F\x45\xAE\x3C\x8A\xA9\xB0\x71\x33\x5D\xC8\xC5\x57\xDF\xAF\xA8\x35\xB3\x7F\x89\x87\xE9\xE8\x25\x92\xB8\x7F\x85\x7A\xAE\xD6\xBC\x1E\x37\x58\x2A\x67\xC9\x91\xCF\x2A\x81\x3E\xED\xC6\x39\xDF\xC0\x3E\x19\x9C\x19\xCC\x13\x4D\x82\x41\xB5\x8C\xDE\xE0\x3D\x60\x08\x20\x0F\x45\x7E\x6B\xA2\x7F\xA3\x8C\x15\xEE",
 	["CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\x9B\x7E\x06\x49\xA3\x3E\x62\xB9\xD5\xEE\x90\x48\x71\x29\xEF\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\xBA\x9C\x52\xFC\x78\x1F\x1A\x1E\x6F\x1B\x37\x73\xBD\xF8\xC9\x6B\x94\x12\x30\x4F\xF0\x36\x47\xF5\xD0\x91\x0A\xF5\x17\xC8\xA5\x61\xC1\x16\x40\x4D\xFB\x8A\x61\x90\xE5\x76\x20\xC1\x11\x06\x7D\xAB\x2C\x6E\xA6\xF5\x11\x41\x8E\xFA\x2D\xAD\x2A\x61\x59\xA4\x67\x26\x4C\xD0\xE8\xBC\x52\x5B\x70\x20\x04\x58\xD1\x7A\xC9\xA4\x69\xBC\x83\x17\x64\xAD\x05\x8B\xBC\xD0\x58\xCE\x8D\x8C\xF5\xEB\xF0\x42\x49\x0B\x9D\x97\x27\x67\x32\x6E\xE1\xAE\x93\x15\x1C\x70\xBC\x20\x4D\x2F\x18\xDE\x92\x88\xE8\x6C\x85\x57\x11\x1A\xE9\x7E\xE3\x26\x11\x54\xA2\x45\x96\x55\x83\xCA\x30\x89\xE8\xDC\xD8\xA3\xED\x2A\x80\x3F\x7F\x79\x65\x57\x3E\x15\x20\x66\x08\x2F\x95\x93\xBF\xAA\x47\x2F\xA8\x46\x97\xF0\x12\xE2\xFE\xC2\x0A\x2B\x51\xE6\x76\xE6\xB7\x46\xB7\xE2\x0D\xA6\xCC\xA8\xC3\x4C\x59\x55\x89\xE6\xE8\x53\x5C\x1C\xEA\x9D\xF0\x62\x16\x0B\xA7\xC9\x5F\x0C\xF0\xDE\xC2\x76\xCE\xAF\xF7\x6A\xF2\xFA\x41\xA6\xA2\x33\x14\xC9\xE5\x7A\x63\xD3\x9E\x62\x37\xD5\x85\x65\x9E\x0E\xE6\x53\x24\x74\x1B\x5E\x1D\x12\x53\x5B\xC7\x2C\xE7\x83\x49\x3B\x15\xAE\x8A\x68\xB9\x57\x97\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x11\x14\x96\xC1\xAB\x92\x08\xF7\x3F\x2F\xC9\xB2\xFE\xE4\x5A\x9F\x64\xDE\xDB\x21\x4F\x86\x99\x34\x76\x36\x57\xDD\xD0\x15\x2F\xC5\xAD\x7F\x15\x1F\x37\x62\x73\x3E\xD4\xE7\x5F\xCE\x17\x03\xDB\x35\xFA\x2B\xDB\xAE\x60\x09\x5F\x1E\x5F\x8F\x6E\xBB\x0B\x3D\xEA\x5A\x13\x1E\x0C\x60\x6F\xB5\xC0\xB5\x23\x22\x2E\x07\x0B\xCB\xA9\x74\xCB\x47\xBB\x1D\xC1\xD7\xA5\x6B\xCC\x2F\xD2\x42\xFD\x49\xDD\xA7\x89\xCF\x53\xBA\xDA\x00\x5A\x28\xBF\x82\xDF\xF8\xBA\x13\x1D\x50\x86\x82\xFD\x8E\x30\x8F\x29\x46\xB0\x1E\x3D\x35\xDA\x38\x62\x16\x18\x4A\xAD\xE6\xB6\x51\x6C\xDE\xAF\x62\xEB\x01\xD0\x1E\x24\xFE\x7A\x8F\x12\x1A\x12\x68\xB8\xFB\x66\x99\x14\x14\x45\x5C\xAE\xE7\xAE\x69\x17\x81\x2B\x5A\x37\xC9\x5E\x2A\xF4\xC6\xE2\xA1\x5C\x54\x9B\xA6\x54\x00\xCF\xF0\xF1\xC1\xC7\x98\x30\x1A\x3B\x36\x16\xDB\xA3\x6E\xEA\xFD\xAD\xB2\xC2\xDA\xEF\x02\x47\x13\x8A\xC0\xF1\xB3\x31\xAD\x4F\x1C\xE1\x4F\x9C\xAF\x0F\x0C\x9D\xF7\x78\x0D\xD8\xF4\x35\x56\x80\xDA\xB7\x6D\x17\x8F\x9D\x1E\x81\x64\xE1\xFE\xC5\x45\xBA\xAD\x6B\xB9\x0A\x7A\x4E\x4F\x4B\x84\xEE\x4B\xF1\x7D\xDD\x11",
 	["CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\xEC\xA0\xA7\x8B\x6E\x75\x6A\x01\xCF\xC4\x7C\xCC\x2F\x94\x5E\xD7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x34\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\xCB\xA5\x11\x69\xC6\x59\xAB\xF1\x8F\xB5\x19\x0F\x56\xCE\xCC\xB5\x1F\x20\xE4\x9E\x26\x25\x4B\xE0\x73\x65\x89\x59\xDE\xD0\x83\xE4\xF5\x0F\xB5\xBB\xAD\xF1\x7C\xE8\x21\xFC\xE4\xE8\x0C\xEE\x7C\x45\x22\x19\x76\x92\xB4\x13\xB7\x20\x5B\x09\xFA\x61\xAE\xA8\xF2\xA5\x8D\x85\xC2\x2A\xD6\xDE\x66\x36\xD2\x9B\x02\xF4\xA8\x92\x60\x7C\x9C\x69\xB4\x8F\x24\x1E\xD0\x86\x52\xF6\x32\x9C\x41\x58\x1E\x22\xBD\xCD\x45\x62\x95\x08\x6E\xD0\x66\xDD\x53\xA2\xCC\xF0\x10\xDC\x54\x73\x8B\x04\xA1\x46\x33\x33\x5C\x17\x40\xB9\x9E\x4D\xD3\xF3\xBE\x55\x83\xE8\xB1\x89\x8E\x5A\x7C\x9A\x96\x22\x90\x3B\x88\x25\xF2\xD2\x53\x88\x02\x0C\x0B\x78\xF2\xE6\x37\x17\x4B\x30\x46\x07\xE4\x80\x6D\xA6\xD8\x96\x2E\xE8\x2C\xF8\x11\xB3\x38\x0D\x66\xA6\x9B\xEA\xC9\x23\x5B\xDB\x8E\xE2\xF3\x13\x8E\x1A\x59\x2D\xAA\x02\xF0\xEC\xA4\x87\x66\xDC\xC1\x3F\xF5\xD8\xB9\xF4\xEC\x82\xC6\xD2\x3D\x95\x1D\xE5\xC0\x4F\x84\xC9\xD9\xA3\x44\x28\x06\x6A\xD7\x45\xAC\xF0\x6B\x6A\xEF\x4E\x5F\xF8\x11\x82\x1E\x38\x63\x34\x66\x50\xD4\x3E\x93\x73\xFA\x30\xC3\x66\xAD\xFF\x93\x2D\x97\xEF\x03\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8F\xFA\x25\x6B\x4F\x5B\xE4\xA4\x4E\x27\x55\xAB\x22\x15\x59\x3C\xCA\xB5\x0A\xD4\x4A\xDB\xAB\xDD\xA1\x5F\x53\xC5\xA0\x57\x39\xC2\xCE\x47\x2B\xBE\x3A\xC8\x56\xBF\xC2\xD9\x27\x10\x3A\xB1\x05\x3C\xC0\x77\x31\xBB\x3A\xD3\x05\x7B\x6D\x9A\x1C\x30\x8C\x80\xCB\x93\x93\x2A\x83\xAB\x05\x51\x82\x02\x00\x11\x67\x6B\xF3\x88\x61\x47\x5F\x03\x93\xD5\x5B\x0D\xE0\xF1\xD4\xA1\x32\x35\x85\xB2\x3A\xDB\xB0\x82\xAB\xD1\xCB\x0A\xBC\x4F\x8C\x5B\xC5\x4B\x00\x3B\x1F\x2A\x82\xA6\x7E\x36\x85\xDC\x7E\x3C\x67\x00\xB5\xE4\x3B\x52\xE0\xA8\xEB\x5D\x15\xF9\xC6\x6D\xF0\xAD\x1D\x0E\x85\xB7\xA9\x9A\x73\x14\x5A\x5B\x8F\x41\x28\xC0\xD5\xE8\x2D\x4D\xA4\x5E\xCD\xAA\xD9\xED\xCE\xDC\xD8\xD5\x3C\x42\x1D\x17\xC1\x12\x5D\x45\x38\xC3\x38\xF3\xFC\x85\x2E\x83\x46\x48\xB2\xD7\x20\x5F\x92\x36\x8F\xE7\x79\x0F\x98\x5E\x99\xE8\xF0\xD0\xA4\xBB\xF5\x53\xBD\x2A\xCE\x59\xB0\xAF\x6E\x7F\x6C\xBB\xD2\x1E\x00\xB0\x21\xED\xF8\x41\x62\x82\xB9\xD8\xB2\xC4\xBB\x46\x50\xF3\x31\xC5\x8F\x01\xA8\x74\xEB\xF5\x78\x27\xDA\xE7\xF7\x66\x43\xF3\x9E\x83\x3E\x20\xAA\xC3\x35\x60\x91\xCE",
-	["CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US"] = "\x30\x82\x04\xD8\x30\x82\x04\x41\xA0\x03\x02\x01\x02\x02\x04\x37\x4A\xD2\x43\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xC3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x17\x0D\x31\x39\x30\x35\x32\x35\x31\x36\x33\x39\x34\x30\x5A\x30\x81\xC3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8B\x00\x30\x81\x87\x02\x81\x81\x00\xCD\x28\x83\x34\x54\x1B\x89\xF3\x0F\xAF\x37\x91\x31\xFF\xAF\x31\x60\xC9\xA8\xE8\xB2\x10\x68\xED\x9F\xE7\x93\x36\xF1\x0A\x64\xBB\x47\xF5\x04\x17\x3F\x23\x47\x4D\xC5\x27\x19\x81\x26\x0C\x54\x72\x0D\x88\x2D\xD9\x1F\x9A\x12\x9F\xBC\xB3\x71\xD3\x80\x19\x3F\x47\x66\x7B\x8C\x35\x28\xD2\xB9\x0A\xDF\x24\xDA\x9C\xD6\x50\x79\x81\x7A\x5A\xD3\x37\xF7\xC2\x4A\xD8\x29\x92\x26\x64\xD1\xE4\x98\x6C\x3A\x00\x8A\xF5\x34\x9B\x65\xF8\xED\xE3\x10\xFF\xFD\xB8\x49\x58\xDC\xA0\xDE\x82\x39\x6B\x81\xB1\x16\x19\x61\xB9\x54\xB6\xE6\x43\x02\x01\x03\xA3\x82\x01\xD7\x30\x82\x01\xD3\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x01\x19\x06\x03\x55\x1D\x1F\x04\x82\x01\x10\x30\x82\x01\x0C\x30\x81\xDE\xA0\x81\xDB\xA0\x81\xD8\xA4\x81\xD5\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x3B\x30\x39\x06\x03\x55\x04\x0B\x13\x32\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x3A\x30\x38\x06\x03\x55\x04\x03\x13\x31\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x43\x52\x4C\x31\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x52\x4C\x2F\x6E\x65\x74\x31\x2E\x63\x72\x6C\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x31\x39\x39\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x81\x0F\x32\x30\x31\x39\x30\x35\x32\x35\x31\x36\x30\x39\x34\x30\x5A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xF0\x17\x62\x13\x55\x3D\xB3\xFF\x0A\x00\x6B\xFB\x50\x84\x97\xF3\xED\x62\xD0\x1A\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF0\x17\x62\x13\x55\x3D\xB3\xFF\x0A\x00\x6B\xFB\x50\x84\x97\xF3\xED\x62\xD0\x1A\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x19\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x0C\x30\x0A\x1B\x04\x56\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x81\x81\x00\x90\xDC\x30\x02\xFA\x64\x74\xC2\xA7\x0A\xA5\x7C\x21\x8D\x34\x17\xA8\xFB\x47\x0E\xFF\x25\x7C\x8D\x13\x0A\xFB\xE4\x98\xB5\xEF\x8C\xF8\xC5\x10\x0D\xF7\x92\xBE\xF1\xC3\xD5\xD5\x95\x6A\x04\xBB\x2C\xCE\x26\x36\x65\xC8\x31\xC6\xE7\xEE\x3F\xE3\x57\x75\x84\x7A\x11\xEF\x46\x4F\x18\xF4\xD3\x98\xBB\xA8\x87\x32\xBA\x72\xF6\x3C\xE2\x3D\x9F\xD7\x1D\xD9\xC3\x60\x43\x8C\x58\x0E\x22\x96\x2F\x62\xA3\x2C\x1F\xBA\xAD\x05\xEF\xAB\x32\x78\x87\xA0\x54\x73\x19\xB5\x5C\x05\xF9\x52\x3E\x6D\x2D\x45\x0B\xF7\x0A\x93\xEA\xED\x06\xF9\xB2",
 	["CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x04\x38\x63\xDE\xF8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x1E\x17\x0D\x39\x39\x31\x32\x32\x34\x31\x37\x35\x30\x35\x31\x5A\x17\x0D\x32\x39\x30\x37\x32\x34\x31\x34\x31\x35\x31\x32\x5A\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x4D\x4B\xA9\x12\x86\xB2\xEA\xA3\x20\x07\x15\x16\x64\x2A\x2B\x4B\xD1\xBF\x0B\x4A\x4D\x8E\xED\x80\x76\xA5\x67\xB7\x78\x40\xC0\x73\x42\xC8\x68\xC0\xDB\x53\x2B\xDD\x5E\xB8\x76\x98\x35\x93\x8B\x1A\x9D\x7C\x13\x3A\x0E\x1F\x5B\xB7\x1E\xCF\xE5\x24\x14\x1E\xB1\x81\xA9\x8D\x7D\xB8\xCC\x6B\x4B\x03\xF1\x02\x0C\xDC\xAB\xA5\x40\x24\x00\x7F\x74\x94\xA1\x9D\x08\x29\xB3\x88\x0B\xF5\x87\x77\x9D\x55\xCD\xE4\xC3\x7E\xD7\x6A\x64\xAB\x85\x14\x86\x95\x5B\x97\x32\x50\x6F\x3D\xC8\xBA\x66\x0C\xE3\xFC\xBD\xB8\x49\xC1\x76\x89\x49\x19\xFD\xC0\xA8\xBD\x89\xA3\x67\x2F\xC6\x9F\xBC\x71\x19\x60\xB8\x2D\xE9\x2C\xC9\x90\x76\x66\x7B\x94\xE2\xAF\x78\xD6\x65\x53\x5D\x3C\xD6\x9C\xB2\xCF\x29\x03\xF9\x2F\xA4\x50\xB2\xD4\x48\xCE\x05\x32\x55\x8A\xFD\xB2\x64\x4C\x0E\xE4\x98\x07\x75\xDB\x7F\xDF\xB9\x08\x55\x60\x85\x30\x29\xF9\x7B\x48\xA4\x69\x86\xE3\x35\x3F\x1E\x86\x5D\x7A\x7A\x15\xBD\xEF\x00\x8E\x15\x22\x54\x17\x00\x90\x26\x93\xBC\x0E\x49\x68\x91\xBF\xF8\x47\xD3\x9D\x95\x42\xC1\x0E\x4D\xDF\x6F\x26\xCF\xC3\x18\x21\x62\x66\x43\x70\xD6\xD5\xC0\x07\xE1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x55\xE4\x81\xD1\x11\x80\xBE\xD8\x89\xB9\x08\xA3\x31\xF9\xA1\x24\x09\x16\xB9\x70\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3B\x9B\x8F\x56\x9B\x30\xE7\x53\x99\x7C\x7A\x79\xA7\x4D\x97\xD7\x19\x95\x90\xFB\x06\x1F\xCA\x33\x7C\x46\x63\x8F\x96\x66\x24\xFA\x40\x1B\x21\x27\xCA\xE6\x72\x73\xF2\x4F\xFE\x31\x99\xFD\xC8\x0C\x4C\x68\x53\xC6\x80\x82\x13\x98\xFA\xB6\xAD\xDA\x5D\x3D\xF1\xCE\x6E\xF6\x15\x11\x94\x82\x0C\xEE\x3F\x95\xAF\x11\xAB\x0F\xD7\x2F\xDE\x1F\x03\x8F\x57\x2C\x1E\xC9\xBB\x9A\x1A\x44\x95\xEB\x18\x4F\xA6\x1F\xCD\x7D\x57\x10\x2F\x9B\x04\x09\x5A\x84\xB5\x6E\xD8\x1D\x3A\xE1\xD6\x9E\xD1\x6C\x79\x5E\x79\x1C\x14\xC5\xE3\xD0\x4C\x93\x3B\x65\x3C\xED\xDF\x3D\xBE\xA6\xE5\x95\x1A\xC3\xB5\x19\xC3\xBD\x5E\x5B\xBB\xFF\x23\xEF\x68\x19\xCB\x12\x93\x27\x5C\x03\x2D\x6F\x30\xD0\x1E\xB6\x1A\xAC\xDE\x5A\xF7\xD1\xAA\xA8\x27\xA6\xFE\x79\x81\xC4\x79\x99\x33\x57\xBA\x12\xB0\xA9\xE0\x42\x6C\x93\xCA\x56\xDE\xFE\x6D\x84\x0B\x08\x8B\x7E\x8D\xEA\xD7\x98\x21\xC6\xF3\xE7\x3C\x79\x2F\x5E\x9C\xD1\x4C\x15\x8D\xE1\xEC\x22\x37\xCC\x9A\x43\x0B\x97\xDC\x80\x90\x8D\xB3\x67\x9B\x6F\x48\x08\x15\x56\xCF\xBF\xF1\x2B\x7C\x5E\x9A\x76\xE9\x59\x90\xC5\x7C\x83\x35\x11\x65\x51",
 	["CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x04\x02\x00\x00\xB9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x31\x32\x31\x38\x34\x36\x30\x30\x5A\x17\x0D\x32\x35\x30\x35\x31\x32\x32\x33\x35\x39\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA3\x04\xBB\x22\xAB\x98\x3D\x57\xE8\x26\x72\x9A\xB5\x79\xD4\x29\xE2\xE1\xE8\x95\x80\xB1\xB0\xE3\x5B\x8E\x2B\x29\x9A\x64\xDF\xA1\x5D\xED\xB0\x09\x05\x6D\xDB\x28\x2E\xCE\x62\xA2\x62\xFE\xB4\x88\xDA\x12\xEB\x38\xEB\x21\x9D\xC0\x41\x2B\x01\x52\x7B\x88\x77\xD3\x1C\x8F\xC7\xBA\xB9\x88\xB5\x6A\x09\xE7\x73\xE8\x11\x40\xA7\xD1\xCC\xCA\x62\x8D\x2D\xE5\x8F\x0B\xA6\x50\xD2\xA8\x50\xC3\x28\xEA\xF5\xAB\x25\x87\x8A\x9A\x96\x1C\xA9\x67\xB8\x3F\x0C\xD5\xF7\xF9\x52\x13\x2F\xC2\x1B\xD5\x70\x70\xF0\x8F\xC0\x12\xCA\x06\xCB\x9A\xE1\xD9\xCA\x33\x7A\x77\xD6\xF8\xEC\xB9\xF1\x68\x44\x42\x48\x13\xD2\xC0\xC2\xA4\xAE\x5E\x60\xFE\xB6\xA6\x05\xFC\xB4\xDD\x07\x59\x02\xD4\x59\x18\x98\x63\xF5\xA5\x63\xE0\x90\x0C\x7D\x5D\xB2\x06\x7A\xF3\x85\xEA\xEB\xD4\x03\xAE\x5E\x84\x3E\x5F\xFF\x15\xED\x69\xBC\xF9\x39\x36\x72\x75\xCF\x77\x52\x4D\xF3\xC9\x90\x2C\xB9\x3D\xE5\xC9\x23\x53\x3F\x1F\x24\x98\x21\x5C\x07\x99\x29\xBD\xC6\x3A\xEC\xE7\x6E\x86\x3A\x6B\x97\x74\x63\x33\xBD\x68\x18\x31\xF0\x78\x8D\x76\xBF\xFC\x9E\x8E\x5D\x2A\x86\xA7\x4D\x90\xDC\x27\x1A\x39\x02\x03\x01\x00\x01\xA3\x45\x30\x43\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE5\x9D\x59\x30\x82\x47\x58\xCC\xAC\xFA\x08\x54\x36\x86\x7B\x3A\xB5\x04\x4D\xF0\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x0C\x5D\x8E\xE4\x6F\x51\x68\x42\x05\xA0\xDD\xBB\x4F\x27\x25\x84\x03\xBD\xF7\x64\xFD\x2D\xD7\x30\xE3\xA4\x10\x17\xEB\xDA\x29\x29\xB6\x79\x3F\x76\xF6\x19\x13\x23\xB8\x10\x0A\xF9\x58\xA4\xD4\x61\x70\xBD\x04\x61\x6A\x12\x8A\x17\xD5\x0A\xBD\xC5\xBC\x30\x7C\xD6\xE9\x0C\x25\x8D\x86\x40\x4F\xEC\xCC\xA3\x7E\x38\xC6\x37\x11\x4F\xED\xDD\x68\x31\x8E\x4C\xD2\xB3\x01\x74\xEE\xBE\x75\x5E\x07\x48\x1A\x7F\x70\xFF\x16\x5C\x84\xC0\x79\x85\xB8\x05\xFD\x7F\xBE\x65\x11\xA3\x0F\xC0\x02\xB4\xF8\x52\x37\x39\x04\xD5\xA9\x31\x7A\x18\xBF\xA0\x2A\xF4\x12\x99\xF7\xA3\x45\x82\xE3\x3C\x5E\xF5\x9D\x9E\xB5\xC8\x9E\x7C\x2E\xC8\xA4\x9E\x4E\x08\x14\x4B\x6D\xFD\x70\x6D\x6B\x1A\x63\xBD\x64\xE6\x1F\xB7\xCE\xF0\xF2\x9F\x2E\xBB\x1B\xB7\xF2\x50\x88\x73\x92\xC2\xE2\xE3\x16\x8D\x9A\x32\x02\xAB\x8E\x18\xDD\xE9\x10\x11\xEE\x7E\x35\xAB\x90\xAF\x3E\x30\x94\x7A\xD0\x33\x3D\xA7\x65\x0F\xF5\xFC\x8E\x9E\x62\xCF\x47\x44\x2C\x01\x5D\xBB\x1D\xB5\x32\xD2\x47\xD2\x38\x2E\xD0\xFE\x81\xDC\x32\x6A\x1E\xB5\xEE\x3C\xD5\xFC\xE7\x81\x1D\x19\xC3\x24\x42\xEA\x63\x39\xA9",
 	["CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US"] = "\x30\x82\x02\x90\x30\x82\x01\xF9\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x1E\x17\x0D\x39\x39\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x30\x36\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x71\x75\x69\x66\x61\x78\x20\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x65\x42\x75\x73\x69\x6E\x65\x73\x73\x20\x43\x41\x2D\x31\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xBA\xE7\x17\x90\x02\x65\xB1\x34\x55\x3C\x49\xC2\x51\xD5\xDF\xA7\xD1\x37\x8F\xD1\xE7\x81\x73\x41\x52\x60\x9B\x9D\xA1\x17\x26\x78\xAD\xC7\xB1\xE8\x26\x94\x32\xB5\xDE\x33\x8D\x3A\x2F\xDB\xF2\x9A\x7A\x5A\x73\x98\xA3\x5C\xE9\xFB\x8A\x73\x1B\x5C\xE7\xC3\xBF\x80\x6C\xCD\xA9\xF4\xD6\x2B\xC0\xF7\xF9\x99\xAA\x63\xA2\xB1\x47\x02\x0F\xD4\xE4\x51\x3A\x12\x3C\x6C\x8A\x5A\x54\x84\x70\xDB\xC1\xC5\x90\xCF\x72\x45\xCB\xA8\x59\xC0\xCD\x33\x9D\x3F\xA3\x96\xEB\x85\x33\x21\x1C\x3E\x1E\x3E\x60\x6E\x76\x9C\x67\x85\xC5\xC8\xC3\x61\x02\x03\x01\x00\x01\xA3\x66\x30\x64\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xBE\xA8\xA0\x74\x72\x50\x6B\x44\xB7\xC9\x23\xD8\xFB\xA8\xFF\xB3\x57\x6B\x68\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBE\xA8\xA0\x74\x72\x50\x6B\x44\xB7\xC9\x23\xD8\xFB\xA8\xFF\xB3\x57\x6B\x68\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x30\xE2\x01\x51\xAA\xC7\xEA\x5F\xDA\xB9\xD0\x65\x0F\x30\xD6\x3E\xDA\x0D\x14\x49\x6E\x91\x93\x27\x14\x31\xEF\xC4\xF7\x2D\x45\xF8\xEC\xC7\xBF\xA2\x41\x0D\x23\xB4\x92\xF9\x19\x00\x67\xBD\x01\xAF\xCD\xE0\x71\xFC\x5A\xCF\x64\xC4\xE0\x96\x98\xD0\xA3\x40\xE2\x01\x8A\xEF\x27\x07\xF1\x65\x01\x8A\x44\x2D\x06\x65\x75\x52\xC0\x86\x10\x20\x21\x5F\x6C\x6B\x0F\x6C\xAE\x09\x1C\xAF\xF2\xA2\x18\x34\xC4\x75\xA4\x73\x1C\xF1\x8D\xDC\xEF\xAD\xF9\xB3\x76\xB4\x92\xBF\xDC\x95\x10\x1E\xBE\xCB\xC8\x3B\x5A\x84\x60\x19\x56\x94\xA9\x55",
@@ -58,15 +53,11 @@ redef root_certs += {
 	["CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x33\x34\x33\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x33\x34\x34\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x36\x55\xE5\xA5\x5D\x18\x30\xE0\xDA\x89\x54\x91\xFC\xC8\xC7\x52\xF8\x2F\x50\xD9\xEF\xB1\x75\x73\x65\x47\x7D\x1B\x5B\xBA\x75\xC5\xFC\xA1\x88\x24\xFA\x2F\xED\xCA\x08\x4A\x39\x54\xC4\x51\x7A\xB5\xDA\x60\xEA\x38\x3C\x81\xB2\xCB\xF1\xBB\xD9\x91\x23\x3F\x48\x01\x70\x75\xA9\x05\x2A\xAD\x1F\x71\xF3\xC9\x54\x3D\x1D\x06\x6A\x40\x3E\xB3\x0C\x85\xEE\x5C\x1B\x79\xC2\x62\xC4\xB8\x36\x8E\x35\x5D\x01\x0C\x23\x04\x47\x35\xAA\x9B\x60\x4E\xA0\x66\x3D\xCB\x26\x0A\x9C\x40\xA1\xF4\x5D\x98\xBF\x71\xAB\xA5\x00\x68\x2A\xED\x83\x7A\x0F\xA2\x14\xB5\xD4\x22\xB3\x80\xB0\x3C\x0C\x5A\x51\x69\x2D\x58\x18\x8F\xED\x99\x9E\xF1\xAE\xE2\x95\xE6\xF6\x47\xA8\xD6\x0C\x0F\xB0\x58\x58\xDB\xC3\x66\x37\x9E\x9B\x91\x54\x33\x37\xD2\x94\x1C\x6A\x48\xC9\xC9\xF2\xA5\xDA\xA5\x0C\x23\xF7\x23\x0E\x9C\x32\x55\x5E\x71\x9C\x84\x05\x51\x9A\x2D\xFD\xE6\x4E\x2A\x34\x5A\xDE\xCA\x40\x37\x67\x0C\x54\x21\x55\x77\xDA\x0A\x0C\xCC\x97\xAE\x80\xDC\x94\x36\x4A\xF4\x3E\xCE\x36\x13\x1E\x53\xE4\xAC\x4E\x3A\x05\xEC\xDB\xAE\x72\x9C\x38\x8B\xD0\x39\x3B\x89\x0A\x3E\x77\xFE\x75\x02\x01\x03\xA3\x82\x01\x44\x30\x82\x01\x40\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3C\x06\x03\x55\x1D\x1F\x04\x35\x30\x33\x30\x31\xA0\x2F\xA0\x2D\x86\x2B\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x94\xF5\xB1\x4D\xE9\xDB\xA1\x29\x5B\x57\x8B\x4D\x76\x06\x76\xE1\xD1\xA2\x8A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x27\x06\x03\x55\x1D\x11\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x27\x06\x03\x55\x1D\x12\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x58\x06\x03\x55\x1D\x20\x04\x51\x30\x4F\x30\x4D\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x03\x01\x30\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0C\x41\x97\xC2\x1A\x86\xC0\x22\x7C\x9F\xFB\x90\xF3\x1A\xD1\x03\xB1\xEF\x13\xF9\x21\x5F\x04\x9C\xDA\xC9\xA5\x8D\x27\x6C\x96\x87\x91\xBE\x41\x90\x01\x72\x93\xE7\x1E\x7D\x5F\xF6\x89\xC6\x5D\xA7\x40\x09\x3D\xAC\x49\x45\x45\xDC\x2E\x8D\x30\x68\xB2\x09\xBA\xFB\xC3\x2F\xCC\xBA\x0B\xDF\x3F\x77\x7B\x46\x7D\x3A\x12\x24\x8E\x96\x8F\x3C\x05\x0A\x6F\xD2\x94\x28\x1D\x6D\x0C\xC0\x2E\x88\x22\xD5\xD8\xCF\x1D\x13\xC7\xF0\x48\xD7\xD7\x05\xA7\xCF\xC7\x47\x9E\x3B\x3C\x34\xC8\x80\x4F\xD4\x14\xBB\xFC\x0D\x50\xF7\xFA\xB3\xEC\x42\x5F\xA9\xDD\x6D\xC8\xF4\x75\xCF\x7B\xC1\x72\x26\xB1\x01\x1C\x5C\x2C\xFD\x7A\x4E\xB4\x01\xC5\x05\x57\xB9\xE7\x3C\xAA\x05\xD9\x88\xE9\x07\x46\x41\xCE\xEF\x41\x81\xAE\x58\xDF\x83\xA2\xAE\xCA\xD7\x77\x1F\xE7\x00\x3C\x9D\x6F\x8E\xE4\x32\x09\x1D\x4D\x78\x34\x78\x34\x3C\x94\x9B\x26\xED\x4F\x71\xC6\x19\x7A\xBD\x20\x22\x48\x5A\xFE\x4B\x7D\x03\xB7\xE7\x58\xBE\xC6\x32\x4E\x74\x1E\x68\xDD\xA8\x68\x5B\xB3\x3E\xEE\x62\x7D\xD9\x80\xE8\x0A\x75\x7A\xB7\xEE\xB4\x65\x9A\x21\x90\xE0\xAA\xD0\x98\xBC\x38\xB5\x73\x3C\x8B\xF8\xDC",
 	["CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xC5\x30\x82\x03\xAD\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xA2\x70\xA2\xD0\x9F\x42\xAE\x5B\x17\xC7\xD8\x7D\xCF\x14\x83\xFC\x4F\xC9\xA1\xB7\x13\xAF\x8A\xD7\x9E\x3E\x04\x0A\x92\x8B\x60\x56\xFA\xB4\x32\x2F\x88\x4D\xA1\x60\x08\xF4\xB7\x09\x4E\xA0\x49\x2F\x49\xD6\xD3\xDF\x9D\x97\x5A\x9F\x94\x04\x70\xEC\x3F\x59\xD9\xB7\xCC\x66\x8B\x98\x52\x28\x09\x02\xDF\xC5\x2F\x84\x8D\x7A\x97\x77\xBF\xEC\x40\x9D\x25\x72\xAB\xB5\x3F\x32\x98\xFB\xB7\xB7\xFC\x72\x84\xE5\x35\x87\xF9\x55\xFA\xA3\x1F\x0E\x6F\x2E\x28\xDD\x69\xA0\xD9\x42\x10\xC6\xF8\xB5\x44\xC2\xD0\x43\x7F\xDB\xBC\xE4\xA2\x3C\x6A\x55\x78\x0A\x77\xA9\xD8\xEA\x19\x32\xB7\x2F\xFE\x5C\x3F\x1B\xEE\xB1\x98\xEC\xCA\xAD\x7A\x69\x45\xE3\x96\x0F\x55\xF6\xE6\xED\x75\xEA\x65\xE8\x32\x56\x93\x46\x89\xA8\x25\x8A\x65\x06\xEE\x6B\xBF\x79\x07\xD0\xF1\xB7\xAF\xED\x2C\x4D\x92\xBB\xC0\xA8\x5F\xA7\x67\x7D\x04\xF2\x15\x08\x70\xAC\x92\xD6\x7D\x04\xD2\x33\xFB\x4C\xB6\x0B\x0B\xFB\x1A\xC9\xC4\x8D\x03\xA9\x7E\x5C\xF2\x50\xAB\x12\xA5\xA1\xCF\x48\x50\xA5\xEF\xD2\xC8\x1A\x13\xFA\xB0\x7F\xB1\x82\x1C\x77\x6A\x0F\x5F\xDC\x0B\x95\x8F\xEF\x43\x7E\xE6\x45\x09\x25\x02\x01\x03\xA3\x82\x01\x50\x30\x82\x01\x4C\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x43\x9C\x36\x9F\xB0\x9E\x30\x4D\xC6\xCE\x5F\xAD\x10\xAB\xE5\x03\xA5\xFA\xA9\x14\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x2A\x06\x03\x55\x1D\x12\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x5B\x06\x03\x55\x1D\x20\x04\x54\x30\x52\x30\x50\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x01\x01\x30\x41\x30\x3F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\x3B\x70\x91\xF9\x04\x54\x27\x91\xE1\xED\xED\xFE\x68\x7F\x61\x5D\xE5\x41\x65\x4F\x32\xF1\x18\x05\x94\x6A\x1C\xDE\x1F\x70\xDB\x3E\x7B\x32\x02\x34\xB5\x0C\x6C\xA1\x8A\x7C\xA5\xF4\x8F\xFF\xD4\xD8\xAD\x17\xD5\x2D\x04\xD1\x3F\x58\x80\xE2\x81\x59\x88\xBE\xC0\xE3\x46\x93\x24\xFE\x90\xBD\x26\xA2\x30\x2D\xE8\x97\x26\x57\x35\x89\x74\x96\x18\xF6\x15\xE2\xAF\x24\x19\x56\x02\x02\xB2\xBA\x0F\x14\xEA\xC6\x8A\x66\xC1\x86\x45\x55\x8B\xBE\x92\xBE\x9C\xA4\x04\xC7\x49\x3C\x9E\xE8\x29\x7A\x89\xD7\xFE\xAF\xFF\x68\xF5\xA5\x17\x90\xBD\xAC\x99\xCC\xA5\x86\x57\x09\x67\x46\xDB\xD6\x16\xC2\x46\xF1\xE4\xA9\x50\xF5\x8F\xD1\x92\x15\xD3\x5F\x3E\xC6\x00\x49\x3A\x6E\x58\xB2\xD1\xD1\x27\x0D\x25\xC8\x32\xF8\x20\x11\xCD\x7D\x32\x33\x48\x94\x54\x4C\xDD\xDC\x79\xC4\x30\x9F\xEB\x8E\xB8\x55\xB5\xD7\x88\x5C\xC5\x6A\x24\x3D\xB2\xD3\x05\x03\x51\xC6\x07\xEF\xCC\x14\x72\x74\x3D\x6E\x72\xCE\x18\x28\x8C\x4A\xA0\x77\xE5\x09\x2B\x45\x44\x47\xAC\xB7\x67\x7F\x01\x8A\x05\x5A\x93\xBE\xA1\xC1\xFF\xF8\xE7\x0E\x67\xA4\x47\x49\x76\x5D\x75\x90\x1A\xF5\x26\x8F\xF0",
 	["CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,ST=Hungary,C=HU"] = "\x30\x82\x06\x7D\x30\x82\x05\x65\xA0\x03\x02\x01\x02\x02\x02\x01\x03\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\xAF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x75\x6E\x67\x61\x72\x79\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x6F\x7A\x6A\x65\x67\x79\x7A\x6F\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x41\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x34\x32\x33\x31\x34\x34\x37\x5A\x17\x0D\x31\x39\x30\x32\x31\x39\x32\x33\x31\x34\x34\x37\x5A\x30\x81\xAF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x48\x75\x6E\x67\x61\x72\x79\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x6F\x7A\x6A\x65\x67\x79\x7A\x6F\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x41\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x74\x8C\x0F\xBB\x4C\xF4\x37\x1E\xA9\x05\x82\xD8\xE6\xE1\x6C\x70\xEA\x78\xB5\x6E\xD1\x38\x44\x0D\xA8\x83\xCE\x5D\xD2\xD6\xD5\x81\xC5\xD4\x4B\xE7\x5B\x94\x70\x26\xDB\x3B\x9D\x6A\x4C\x62\xF7\x71\xF3\x64\xD6\x61\x3B\x3D\xEB\x73\xA3\x37\xD9\xCF\xEA\x8C\x92\x3B\xCD\xF7\x07\xDC\x66\x74\x97\xF4\x45\x22\xDD\xF4\x5C\xE0\xBF\x6D\xF3\xBE\x65\x33\xE4\x15\x3A\xBF\xDB\x98\x90\x55\x38\xC4\xED\xA6\x55\x63\x0B\xB0\x78\x04\xF4\xE3\x6E\xC1\x3F\x8E\xFC\x51\x78\x1F\x92\x9E\x83\xC2\xFE\xD9\xB0\xA9\xC9\xBC\x5A\x00\xFF\xA9\xA8\x98\x74\xFB\xF6\x2C\x3E\x15\x39\x0D\xB6\x04\x55\xA8\x0E\x98\x20\x42\xB3\xB1\x25\xAD\x7E\x9A\x6F\x5D\x53\xB1\xAB\x0C\xFC\xEB\xE0\xF3\x7A\xB3\xA8\xB3\xFF\x46\xF6\x63\xA2\xD8\x3A\x98\x7B\xB6\xAC\x85\xFF\xB0\x25\x4F\x74\x63\xE7\x13\x07\xA5\x0A\x8F\x05\xF7\xC0\x64\x6F\x7E\xA7\x27\x80\x96\xDE\xD4\x2E\x86\x60\xC7\x6B\x2B\x5E\x73\x7B\x17\xE7\x91\x3F\x64\x0C\xD8\x4B\x22\x34\x2B\x9B\x32\xF2\x48\x1F\x9F\xA1\x0A\x84\x7A\xE2\xC2\xAD\x97\x3D\x8E\xD5\xC1\xF9\x56\xA3\x50\xE9\xC6\xB4\xFA\x98\xA2\xEE\x95\xE6\x2A\x03\x8C\xDF\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x82\x01\x01\x00\x48\x24\x46\xF7\xBA\x56\x6F\xFA\xC8\x28\x03\x40\x4E\xE5\x31\x39\x6B\x26\x6B\x53\x7F\xDB\xDF\xDF\xF3\x71\x3D\x26\xC0\x14\x0E\xC6\x67\x7B\x23\xA8\x0C\x73\xDD\x01\xBB\xC6\xCA\x6E\x37\x39\x55\xD5\xC7\x8C\x56\x20\x0E\x28\x0A\x0E\xD2\x2A\xA4\xB0\x49\x52\xC6\x38\x07\xFE\xBE\x0A\x09\x8C\xD1\x98\xCF\xCA\xDA\x14\x31\xA1\x4F\xD2\x39\xFC\x0F\x11\x2C\x43\xC3\xDD\xAB\x93\xC7\x55\x3E\x47\x7C\x18\x1A\x00\xDC\xF3\x7B\xD8\xF2\x7F\x52\x6C\x20\xF4\x0B\x5F\x69\x52\xF4\xEE\xF8\xB2\x29\x60\xEB\xE3\x49\x31\x21\x0D\xD6\xB5\x10\x41\xE2\x41\x09\x6C\xE2\x1A\x9A\x56\x4B\x77\x02\xF6\xA0\x9B\x9A\x27\x87\xE8\x55\x29\x71\xC2\x90\x9F\x45\x78\x1A\xE1\x15\x64\x3D\xD0\x0E\xD8\xA0\x76\x9F\xAE\xC5\xD0\x2E\xEA\xD6\x0F\x56\xEC\x64\x7F\x5A\x9B\x14\x58\x01\x27\x7E\x13\x50\xC7\x6B\x2A\xE6\x68\x3C\xBF\x5C\xA0\x0A\x1B\xE1\x0E\x7A\xE9\xE2\x80\xC3\xE9\xE9\xF6\xFD\x6C\x11\x9E\xD0\xE5\x28\x27\x2B\x54\x32\x42\x14\x82\x75\xE6\x4A\xF0\x2B\x66\x75\x63\x8C\xA2\xFB\x04\x3E\x83\x0E\x9B\x36\xF0\x18\xE4\x26\x20\xC3\x8C\xF0\x28\x07\xAD\x3C\x17\x66\x88\xB5\xFD\xB6\x88",
-	["CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU"] = "\x30\x82\x05\x4B\x30\x82\x04\xB4\xA0\x03\x02\x01\x02\x02\x01\x69\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\x99\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x55\x7A\x6C\x65\x74\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x42\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x35\x31\x34\x31\x30\x32\x32\x5A\x17\x0D\x31\x39\x30\x32\x32\x30\x31\x34\x31\x30\x32\x32\x5A\x30\x81\x99\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x55\x7A\x6C\x65\x74\x69\x20\x28\x43\x6C\x61\x73\x73\x20\x42\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xB1\xEA\x04\xEC\x20\xA0\x23\xC2\x8F\x38\x60\xCF\xC7\x46\xB3\xD5\x1B\xFE\xFB\xB9\x99\x9E\x04\xDC\x1C\x7F\x8C\x4A\x81\x98\xEE\xA4\xD4\xCA\x8A\x17\xB9\x22\x7F\x83\x0A\x75\x4C\x9B\xC0\x69\xD8\x64\x39\xA3\xED\x92\xA3\xFD\x5B\x5C\x74\x1A\xC0\x47\xCA\x3A\x69\x76\x9A\xBA\xE2\x44\x17\xFC\x4C\xA3\xD5\xFE\xB8\x97\x88\xAF\x88\x03\x89\x1F\xA4\xF2\x04\x3E\xC8\x07\x0B\xE6\xF9\xB3\x2F\x7A\x62\x14\x09\x46\x14\xCA\x64\xF5\x8B\x80\xB5\x62\xA8\xD8\x6B\xD6\x71\x93\x2D\xB3\xBF\x09\x54\x58\xED\x06\xEB\xA8\x7B\xDC\x43\xB1\xA1\x69\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x04\xDB\xAE\x8C\x17\xAF\xF8\x0E\x90\x31\x4E\xCD\x3E\x09\xC0\x6D\x3A\xB0\xF8\x33\x4C\x47\x4C\xE3\x75\x88\x10\x97\xAC\xB0\x38\x15\x91\xC6\x29\x96\xCC\x21\xC0\x6D\x3C\xA5\x74\xCF\xD8\x82\xA5\x39\xC3\x65\xE3\x42\x70\xBB\x22\x90\xE3\x7D\xDB\x35\x76\xE1\xA0\xB5\xDA\x9F\x70\x6E\x93\x1A\x30\x39\x1D\x30\xDB\x2E\xE3\x7C\xB2\x91\xB2\xD1\x37\x29\xFA\xB9\xD6\x17\x5C\x47\x4F\xE3\x1D\x38\xEB\x9F\xD5\x7B\x95\xA8\x28\x9E\x15\x4A\xD1\xD1\xD0\x2B\x00\x97\xA0\xE2\x92\x36\x2B\x63\xAC\x58\x01\x6B\x33\x29\x50\x86\x83\xF1\x01\x48",
-	["CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU"] = "\x30\x82\x05\x4F\x30\x82\x04\xB8\xA0\x03\x02\x01\x02\x02\x01\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x30\x81\x9B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x34\x30\x32\x06\x03\x55\x04\x03\x13\x2B\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x45\x78\x70\x72\x65\x73\x73\x7A\x20\x28\x43\x6C\x61\x73\x73\x20\x43\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x1E\x17\x0D\x39\x39\x30\x32\x32\x35\x31\x34\x30\x38\x31\x31\x5A\x17\x0D\x31\x39\x30\x32\x32\x30\x31\x34\x30\x38\x31\x31\x5A\x30\x81\x9B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x48\x61\x6C\x6F\x7A\x61\x74\x62\x69\x7A\x74\x6F\x6E\x73\x61\x67\x69\x20\x4B\x66\x74\x2E\x31\x1A\x30\x18\x06\x03\x55\x04\x0B\x13\x11\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x6B\x31\x34\x30\x32\x06\x03\x55\x04\x03\x13\x2B\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x45\x78\x70\x72\x65\x73\x73\x7A\x20\x28\x43\x6C\x61\x73\x73\x20\x43\x29\x20\x54\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x6B\x69\x61\x64\x6F\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xEB\xEC\xB0\x6C\x61\x8A\x23\x25\xAF\x60\x20\xE3\xD9\x9F\xFC\x93\x0B\xDB\x5D\x8D\xB0\xA1\xB3\x40\x3A\x82\xCE\xFD\x75\xE0\x78\x32\x03\x86\x5A\x86\x95\x91\xED\x53\xFA\x9D\x40\xFC\xE6\xE8\xDD\xD9\x5B\x7A\x03\xBD\x5D\xF3\x3B\x0C\xC3\x51\x79\x9B\xAD\x55\xA0\xE9\xD0\x03\x10\xAF\x0A\xBA\x14\x42\xD9\x52\x26\x11\x22\xC7\xD2\x20\xCC\x82\xA4\x9A\xA9\xFE\xB8\x81\x76\x9D\x6A\xB7\xD2\x36\x75\x3E\xB1\x86\x09\xF6\x6E\x6D\x7E\x4E\xB7\x7A\xEC\xAE\x71\x84\xF6\x04\x33\x08\x25\x32\xEB\x74\xAC\x16\x44\xC6\xE4\x40\x93\x1D\x7F\xAD\x02\x03\x01\x00\x01\xA3\x82\x02\x9F\x30\x82\x02\x9B\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x00\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x82\x02\x60\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x82\x02\x51\x16\x82\x02\x4D\x46\x49\x47\x59\x45\x4C\x45\x4D\x21\x20\x45\x7A\x65\x6E\x20\x74\x61\x6E\x75\x73\x69\x74\x76\x61\x6E\x79\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x41\x6C\x74\x61\x6C\x61\x6E\x6F\x73\x20\x53\x7A\x6F\x6C\x67\x61\x6C\x74\x61\x74\x61\x73\x69\x20\x46\x65\x6C\x74\x65\x74\x65\x6C\x65\x69\x62\x65\x6E\x20\x6C\x65\x69\x72\x74\x20\x65\x6C\x6A\x61\x72\x61\x73\x6F\x6B\x20\x61\x6C\x61\x70\x6A\x61\x6E\x20\x6B\x65\x73\x7A\x75\x6C\x74\x2E\x20\x41\x20\x68\x69\x74\x65\x6C\x65\x73\x69\x74\x65\x73\x20\x66\x6F\x6C\x79\x61\x6D\x61\x74\x61\x74\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x74\x65\x72\x6D\x65\x6B\x66\x65\x6C\x65\x6C\x6F\x73\x73\x65\x67\x2D\x62\x69\x7A\x74\x6F\x73\x69\x74\x61\x73\x61\x20\x76\x65\x64\x69\x2E\x20\x41\x20\x64\x69\x67\x69\x74\x61\x6C\x69\x73\x20\x61\x6C\x61\x69\x72\x61\x73\x20\x65\x6C\x66\x6F\x67\x61\x64\x61\x73\x61\x6E\x61\x6B\x20\x66\x65\x6C\x74\x65\x74\x65\x6C\x65\x20\x61\x7A\x20\x65\x6C\x6F\x69\x72\x74\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x69\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6D\x65\x67\x74\x65\x74\x65\x6C\x65\x2E\x20\x41\x7A\x20\x65\x6C\x6A\x61\x72\x61\x73\x20\x6C\x65\x69\x72\x61\x73\x61\x20\x6D\x65\x67\x74\x61\x6C\x61\x6C\x68\x61\x74\x6F\x20\x61\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x68\x6F\x6E\x6C\x61\x70\x6A\x61\x6E\x20\x61\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x63\x69\x6D\x65\x6E\x20\x76\x61\x67\x79\x20\x6B\x65\x72\x68\x65\x74\x6F\x20\x61\x7A\x20\x65\x6C\x6C\x65\x6E\x6F\x72\x7A\x65\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x20\x65\x2D\x6D\x61\x69\x6C\x20\x63\x69\x6D\x65\x6E\x2E\x20\x49\x4D\x50\x4F\x52\x54\x41\x4E\x54\x21\x20\x54\x68\x65\x20\x69\x73\x73\x75\x61\x6E\x63\x65\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x69\x73\x20\x73\x75\x62\x6A\x65\x63\x74\x20\x74\x6F\x20\x74\x68\x65\x20\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x43\x50\x53\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2F\x64\x6F\x63\x73\x20\x6F\x72\x20\x62\x79\x20\x65\x2D\x6D\x61\x69\x6C\x20\x61\x74\x20\x63\x70\x73\x40\x6E\x65\x74\x6C\x6F\x63\x6B\x2E\x6E\x65\x74\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x04\x05\x00\x03\x81\x81\x00\x10\xAD\x7F\xD7\x0C\x32\x80\x0A\xD8\x86\xF1\x79\x98\xB5\xAD\xD4\xCD\xB3\x36\xC4\x96\x48\xC1\x5C\xCD\x9A\xD9\x05\x2E\x9F\xBE\x50\xEB\xF4\x26\x14\x10\x2D\xD4\x66\x17\xF8\x9E\xC1\x27\xFD\xF1\xED\xE4\x7B\x4B\xA0\x6C\xB5\xAB\x9A\x57\x70\xA6\xED\xA0\xA4\xED\x2E\xF5\xFD\xFC\xBD\xFE\x4D\x37\x08\x0C\xBC\xE3\x96\x83\x22\xF5\x49\x1B\x7F\x4B\x2B\xB4\x54\xC1\x80\x7C\x99\x4E\x1D\xD0\x8C\xEE\xD0\xAC\xE5\x92\xFA\x75\x56\xFE\x64\xA0\x13\x8F\xB8\xB8\x16\x9D\x61\x05\x67\x80\xC8\xD0\xD8\xA5\x07\x02\x34\x98\x04\x8D\x33\x04\xD4",
 	["CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x10\x50\x94\x6C\xEC\x18\xEA\xD5\x9C\x4D\xD5\x97\xEF\x75\x8F\xA0\xAD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x31\x30\x31\x31\x37\x31\x34\x30\x34\x5A\x17\x0D\x33\x35\x30\x31\x30\x31\x30\x35\x33\x37\x31\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x98\x24\x1E\xBD\x15\xB4\xBA\xDF\xC7\x8C\xA5\x27\xB6\x38\x0B\x69\xF3\xB6\x4E\xA8\x2C\x2E\x21\x1D\x5C\x44\xDF\x21\x5D\x7E\x23\x74\xFE\x5E\x7E\xB4\x4A\xB7\xA6\xAD\x1F\xAE\xE0\x06\x16\xE2\x9B\x5B\xD9\x67\x74\x6B\x5D\x80\x8F\x29\x9D\x86\x1B\xD9\x9C\x0D\x98\x6D\x76\x10\x28\x58\xE4\x65\xB0\x7F\x4A\x98\x79\x9F\xE0\xC3\x31\x7E\x80\x2B\xB5\x8C\xC0\x40\x3B\x11\x86\xD0\xCB\xA2\x86\x36\x60\xA4\xD5\x30\x82\x6D\xD9\x6E\xD0\x0F\x12\x04\x33\x97\x5F\x4F\x61\x5A\xF0\xE4\xF9\x91\xAB\xE7\x1D\x3B\xBC\xE8\xCF\xF4\x6B\x2D\x34\x7C\xE2\x48\x61\x1C\x8E\xF3\x61\x44\xCC\x6F\xA0\x4A\xA9\x94\xB0\x4D\xDA\xE7\xA9\x34\x7A\x72\x38\xA8\x41\xCC\x3C\x94\x11\x7D\xEB\xC8\xA6\x8C\xB7\x86\xCB\xCA\x33\x3B\xD9\x3D\x37\x8B\xFB\x7A\x3E\x86\x2C\xE7\x73\xD7\x0A\x57\xAC\x64\x9B\x19\xEB\xF4\x0F\x04\x08\x8A\xAC\x03\x17\x19\x64\xF4\x5A\x25\x22\x8D\x34\x2C\xB2\xF6\x68\x1D\x12\x6D\xD3\x8A\x1E\x14\xDA\xC4\x8F\xA6\xE2\x23\x85\xD5\x7A\x0D\xBD\x6A\xE0\xE9\xEC\xEC\x17\xBB\x42\x1B\x67\xAA\x25\xED\x45\x83\x21\xFC\xC1\xC9\x7C\xD5\x62\x3E\xFA\xF2\xC5\x2D\xD3\xFD\xD4\x65\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC6\x4F\xA2\x3D\x06\x63\x84\x09\x9C\xCE\x62\xE4\x04\xAC\x8D\x5C\xB5\xE9\xB6\x1B\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x2F\x58\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x91\x15\x39\x03\x01\x1B\x67\xFB\x4A\x1C\xF9\x0A\x60\x5B\xA1\xDA\x4D\x97\x62\xF9\x24\x53\x27\xD7\x82\x64\x4E\x90\x2E\xC3\x49\x1B\x2B\x9A\xDC\xFC\xA8\x78\x67\x35\xF1\x1D\xF0\x11\xBD\xB7\x48\xE3\x10\xF6\x0D\xDF\x3F\xD2\xC9\xB6\xAA\x55\xA4\x48\xBA\x02\xDB\xDE\x59\x2E\x15\x5B\x3B\x9D\x16\x7D\x47\xD7\x37\xEA\x5F\x4D\x76\x12\x36\xBB\x1F\xD7\xA1\x81\x04\x46\x20\xA3\x2C\x6D\xA9\x9E\x01\x7E\x3F\x29\xCE\x00\x93\xDF\xFD\xC9\x92\x73\x89\x89\x64\x9E\xE7\x2B\xE4\x1C\x91\x2C\xD2\xB9\xCE\x7D\xCE\x6F\x31\x99\xD3\xE6\xBE\xD2\x1E\x90\xF0\x09\x14\x79\x5C\x23\xAB\x4D\xD2\xDA\x21\x1F\x4D\x99\x79\x9D\xE1\xCF\x27\x9F\x10\x9B\x1C\x88\x0D\xB0\x8A\x64\x41\x31\xB8\x0E\x6C\x90\x24\xA4\x9B\x5C\x71\x8F\xBA\xBB\x7E\x1C\x1B\xDB\x6A\x80\x0F\x21\xBC\xE9\xDB\xA6\xB7\x40\xF4\xB2\x8B\xA9\xB1\xE4\xEF\x9A\x1A\xD0\x3D\x69\x99\xEE\xA8\x28\xA3\xE1\x3C\xB3\xF0\xB2\x11\x9C\xCF\x7C\x40\xE6\xDD\xE7\x43\x7D\xA2\xD8\x3A\xB5\xA9\x8D\xF2\x34\x99\xC4\xD4\x10\xE1\x06\xFD\x09\x84\x10\x3B\xEE\xC4\x4C\xF4\xEC\x27\x7C\x42\xC2\x74\x7C\x82\x8A\x09\xC9\xB4\x03\x25\xBC",
 	["OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US"] = "\x30\x82\x04\x00\x30\x82\x02\xE8\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xDE\x9D\xD7\xEA\x57\x18\x49\xA1\x5B\xEB\xD7\x5F\x48\x86\xEA\xBE\xDD\xFF\xE4\xEF\x67\x1C\xF4\x65\x68\xB3\x57\x71\xA0\x5E\x77\xBB\xED\x9B\x49\xE9\x70\x80\x3D\x56\x18\x63\x08\x6F\xDA\xF2\xCC\xD0\x3F\x7F\x02\x54\x22\x54\x10\xD8\xB2\x81\xD4\xC0\x75\x3D\x4B\x7F\xC7\x77\xC3\x3E\x78\xAB\x1A\x03\xB5\x20\x6B\x2F\x6A\x2B\xB1\xC5\x88\x7E\xC4\xBB\x1E\xB0\xC1\xD8\x45\x27\x6F\xAA\x37\x58\xF7\x87\x26\xD7\xD8\x2D\xF6\xA9\x17\xB7\x1F\x72\x36\x4E\xA6\x17\x3F\x65\x98\x92\xDB\x2A\x6E\x5D\xA2\xFE\x88\xE0\x0B\xDE\x7F\xE5\x8D\x15\xE1\xEB\xCB\x3A\xD5\xE2\x12\xA2\x13\x2D\xD8\x8E\xAF\x5F\x12\x3D\xA0\x08\x05\x08\xB6\x5C\xA5\x65\x38\x04\x45\x99\x1E\xA3\x60\x60\x74\xC5\x41\xA5\x72\x62\x1B\x62\xC5\x1F\x6F\x5F\x1A\x42\xBE\x02\x51\x65\xA8\xAE\x23\x18\x6A\xFC\x78\x03\xA9\x4D\x7F\x80\xC3\xFA\xAB\x5A\xFC\xA1\x40\xA4\xCA\x19\x16\xFE\xB2\xC8\xEF\x5E\x73\x0D\xEE\x77\xBD\x9A\xF6\x79\x98\xBC\xB1\x07\x67\xA2\x15\x0D\xDD\xA0\x58\xC6\x44\x7B\x0A\x3E\x62\x28\x5F\xBA\x41\x07\x53\x58\xCF\x11\x7E\x38\x74\xC5\xF8\xFF\xB5\x69\x90\x8F\x84\x74\xEA\x97\x1B\xAF\x02\x01\x03\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\x30\x81\x8D\x06\x03\x55\x1D\x23\x04\x81\x85\x30\x81\x82\x80\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\xA1\x67\xA4\x65\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x32\x4B\xF3\xB2\xCA\x3E\x91\xFC\x12\xC6\xA1\x07\x8C\x8E\x77\xA0\x33\x06\x14\x5C\x90\x1E\x18\xF7\x08\xA6\x3D\x0A\x19\xF9\x87\x80\x11\x6E\x69\xE4\x96\x17\x30\xFF\x34\x91\x63\x72\x38\xEE\xCC\x1C\x01\xA3\x1D\x94\x28\xA4\x31\xF6\x7A\xC4\x54\xD7\xF6\xE5\x31\x58\x03\xA2\xCC\xCE\x62\xDB\x94\x45\x73\xB5\xBF\x45\xC9\x24\xB5\xD5\x82\x02\xAD\x23\x79\x69\x8D\xB8\xB6\x4D\xCE\xCF\x4C\xCA\x33\x23\xE8\x1C\x88\xAA\x9D\x8B\x41\x6E\x16\xC9\x20\xE5\x89\x9E\xCD\x3B\xDA\x70\xF7\x7E\x99\x26\x20\x14\x54\x25\xAB\x6E\x73\x85\xE6\x9B\x21\x9D\x0A\x6C\x82\x0E\xA8\xF8\xC2\x0C\xFA\x10\x1E\x6C\x96\xEF\x87\x0D\xC4\x0F\x61\x8B\xAD\xEE\x83\x2B\x95\xF8\x8E\x92\x84\x72\x39\xEB\x20\xEA\x83\xED\x83\xCD\x97\x6E\x08\xBC\xEB\x4E\x26\xB6\x73\x2B\xE4\xD3\xF6\x4C\xFE\x26\x71\xE2\x61\x11\x74\x4A\xFF\x57\x1A\x87\x0F\x75\x48\x2E\xCF\x51\x69\x17\xA0\x02\x12\x61\x95\xD5\xD1\x40\xB2\x10\x4C\xEE\xC4\xAC\x10\x43\xA6\xA5\x9E\x0A\xD5\x95\x62\x9A\x0D\xCF\x88\x82\xC5\x32\x0C\xE4\x2B\x9F\x45\xE6\x0D\x9F\x28\x9C\xB1\xB9\x2A\x5A\x57\xAD\x37\x0F\xAF\x1D\x7F\xDB\xBD\x9F",
 	["OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US"] = "\x30\x82\x04\x0F\x30\x82\x02\xF7\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x32\xC8\xFE\xE9\x71\xA6\x04\x85\xAD\x0C\x11\x64\xDF\xCE\x4D\xEF\xC8\x03\x18\x87\x3F\xA1\xAB\xFB\x3C\xA6\x9F\xF0\xC3\xA1\xDA\xD4\xD8\x6E\x2B\x53\x90\xFB\x24\xA4\x3E\x84\xF0\x9E\xE8\x5F\xEC\xE5\x27\x44\xF5\x28\xA6\x3F\x7B\xDE\xE0\x2A\xF0\xC8\xAF\x53\x2F\x9E\xCA\x05\x01\x93\x1E\x8F\x66\x1C\x39\xA7\x4D\xFA\x5A\xB6\x73\x04\x25\x66\xEB\x77\x7F\xE7\x59\xC6\x4A\x99\x25\x14\x54\xEB\x26\xC7\xF3\x7F\x19\xD5\x30\x70\x8F\xAF\xB0\x46\x2A\xFF\xAD\xEB\x29\xED\xD7\x9F\xAA\x04\x87\xA3\xD4\xF9\x89\xA5\x34\x5F\xDB\x43\x91\x82\x36\xD9\x66\x3C\xB1\xB8\xB9\x82\xFD\x9C\x3A\x3E\x10\xC8\x3B\xEF\x06\x65\x66\x7A\x9B\x19\x18\x3D\xFF\x71\x51\x3C\x30\x2E\x5F\xBE\x3D\x77\x73\xB2\x5D\x06\x6C\xC3\x23\x56\x9A\x2B\x85\x26\x92\x1C\xA7\x02\xB3\xE4\x3F\x0D\xAF\x08\x79\x82\xB8\x36\x3D\xEA\x9C\xD3\x35\xB3\xBC\x69\xCA\xF5\xCC\x9D\xE8\xFD\x64\x8D\x17\x80\x33\x6E\x5E\x4A\x5D\x99\xC9\x1E\x87\xB4\x9D\x1A\xC0\xD5\x6E\x13\x35\x23\x5E\xDF\x9B\x5F\x3D\xEF\xD6\xF7\x76\xC2\xEA\x3E\xBB\x78\x0D\x1C\x42\x67\x6B\x04\xD8\xF8\xD6\xDA\x6F\x8B\xF2\x44\xA0\x01\xAB\x02\x01\x03\xA3\x81\xC5\x30\x81\xC2\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\x30\x81\x92\x06\x03\x55\x1D\x23\x04\x81\x8A\x30\x81\x87\x80\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x9D\x3F\x88\x9D\xD1\xC9\x1A\x55\xA1\xAC\x69\xF3\xF3\x59\xDA\x9B\x01\x87\x1A\x4F\x57\xA9\xA1\x79\x09\x2A\xDB\xF7\x2F\xB2\x1E\xCC\xC7\x5E\x6A\xD8\x83\x87\xA1\x97\xEF\x49\x35\x3E\x77\x06\x41\x58\x62\xBF\x8E\x58\xB8\x0A\x67\x3F\xEC\xB3\xDD\x21\x66\x1F\xC9\x54\xFA\x72\xCC\x3D\x4C\x40\xD8\x81\xAF\x77\x9E\x83\x7A\xBB\xA2\xC7\xF5\x34\x17\x8E\xD9\x11\x40\xF4\xFC\x2C\x2A\x4D\x15\x7F\xA7\x62\x5D\x2E\x25\xD3\x00\x0B\x20\x1A\x1D\x68\xF9\x17\xB8\xF4\xBD\x8B\xED\x28\x59\xDD\x4D\x16\x8B\x17\x83\xC8\xB2\x65\xC7\x2D\x7A\xA5\xAA\xBC\x53\x86\x6D\xDD\x57\xA4\xCA\xF8\x20\x41\x0B\x68\xF0\xF4\xFB\x74\xBE\x56\x5D\x7A\x79\xF5\xF9\x1D\x85\xE3\x2D\x95\xBE\xF5\x71\x90\x43\xCC\x8D\x1F\x9A\x00\x0A\x87\x29\xE9\x55\x22\x58\x00\x23\xEA\xE3\x12\x43\x29\x5B\x47\x08\xDD\x8C\x41\x6A\x65\x06\xA8\xE5\x21\xAA\x41\xB4\x95\x21\x95\xB9\x7D\xD1\x34\xAB\x13\xD6\xAD\xBC\xDC\xE2\x3D\x39\xCD\xBD\x3E\x75\x70\xA1\x18\x59\x03\xC9\x22\xB4\x8F\x9C\xD5\x5E\x2A\xD7\xA5\xB6\xD4\x0A\x6D\xF8\xB7\x40\x11\x46\x9A\x1F\x79\x0E\x62\xBF\x0F\x97\xEC\xE0\x2F\x1F\x17\x94",
 	["CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL"] = "\x30\x82\x07\xC9\x30\x82\x05\xB1\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x17\x0D\x33\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC1\x88\xDB\x09\xBC\x6C\x46\x7C\x78\x9F\x95\x7B\xB5\x33\x90\xF2\x72\x62\xD6\xC1\x36\x20\x22\x24\x5E\xCE\xE9\x77\xF2\x43\x0A\xA2\x06\x64\xA4\xCC\x8E\x36\xF8\x38\xE6\x23\xF0\x6E\x6D\xB1\x3C\xDD\x72\xA3\x85\x1C\xA1\xD3\x3D\xB4\x33\x2B\xD3\x2F\xAF\xFE\xEA\xB0\x41\x59\x67\xB6\xC4\x06\x7D\x0A\x9E\x74\x85\xD6\x79\x4C\x80\x37\x7A\xDF\x39\x05\x52\x59\xF7\xF4\x1B\x46\x43\xA4\xD2\x85\x85\xD2\xC3\x71\xF3\x75\x62\x34\xBA\x2C\x8A\x7F\x1E\x8F\xEE\xED\x34\xD0\x11\xC7\x96\xCD\x52\x3D\xBA\x33\xD6\xDD\x4D\xDE\x0B\x3B\x4A\x4B\x9F\xC2\x26\x2F\xFA\xB5\x16\x1C\x72\x35\x77\xCA\x3C\x5D\xE6\xCA\xE1\x26\x8B\x1A\x36\x76\x5C\x01\xDB\x74\x14\x25\xFE\xED\xB5\xA0\x88\x0F\xDD\x78\xCA\x2D\x1F\x07\x97\x30\x01\x2D\x72\x79\xFA\x46\xD6\x13\x2A\xA8\xB9\xA6\xAB\x83\x49\x1D\xE5\xF2\xEF\xDD\xE4\x01\x8E\x18\x0A\x8F\x63\x53\x16\x85\x62\xA9\x0E\x19\x3A\xCC\xB5\x66\xA6\xC2\x6B\x74\x07\xE4\x2B\xE1\x76\x3E\xB4\x6D\xD8\xF6\x44\xE1\x73\x62\x1F\x3B\xC4\xBE\xA0\x53\x56\x25\x6C\x51\x09\xF7\xAA\xAB\xCA\xBF\x76\xFD\x6D\x9B\xF3\x9D\xDB\xBF\x3D\x66\xBC\x0C\x56\xAA\xAF\x98\x48\x95\x3A\x4B\xDF\xA7\x58\x50\xD9\x38\x75\xA9\x5B\xEA\x43\x0C\x02\xFF\x99\xEB\xE8\x6C\x4D\x70\x5B\x29\x65\x9C\xDD\xAA\x5D\xCC\xAF\x01\x31\xEC\x0C\xEB\xD2\x8D\xE8\xEA\x9C\x7B\xE6\x6E\xF7\x27\x66\x0C\x1A\x48\xD7\x6E\x42\xE3\x3F\xDE\x21\x3E\x7B\xE1\x0D\x70\xFB\x63\xAA\xA8\x6C\x1A\x54\xB4\x5C\x25\x7A\xC9\xA2\xC9\x8B\x16\xA6\xBB\x2C\x7E\x17\x5E\x05\x4D\x58\x6E\x12\x1D\x01\xEE\x12\x10\x0D\xC6\x32\x7F\x18\xFF\xFC\xF4\xFA\xCD\x6E\x91\xE8\x36\x49\xBE\x1A\x48\x69\x8B\xC2\x96\x4D\x1A\x12\xB2\x69\x17\xC1\x0A\x90\xD6\xFA\x79\x22\x48\xBF\xBA\x7B\x69\xF8\x70\xC7\xFA\x7A\x37\xD8\xD8\x0D\xD2\x76\x4F\x57\xFF\x90\xB7\xE3\x91\xD2\xDD\xEF\xC2\x60\xB7\x67\x3A\xDD\xFE\xAA\x9C\xF0\xD4\x8B\x7F\x72\x22\xCE\xC6\x9F\x97\xB6\xF8\xAF\x8A\xA0\x10\xA8\xD9\xFB\x18\xC6\xB6\xB5\x5C\x52\x3C\x89\xB6\x19\x2A\x73\x01\x0A\x0F\x03\xB3\x12\x60\xF2\x7A\x2F\x81\xDB\xA3\x6E\xFF\x26\x30\x97\xF5\x8B\xDD\x89\x57\xB6\xAD\x3D\xB3\xAF\x2B\xC5\xB7\x76\x02\xF0\xA5\xD6\x2B\x9A\x86\x14\x2A\x72\xF6\xE3\x33\x8C\x5D\x09\x4B\x13\xDF\xBB\x8C\x74\x13\x52\x4B\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xAE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x0B\xEF\x1A\xA4\x40\x5B\xA5\x17\x69\x87\x30\xCA\x34\x68\x43\xD0\x41\xAE\xF2\x30\x64\x06\x03\x55\x1D\x1F\x04\x5D\x30\x5B\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x82\x01\x5D\x06\x03\x55\x1D\x20\x04\x82\x01\x54\x30\x82\x01\x50\x30\x82\x01\x4C\x06\x0B\x2B\x06\x01\x04\x01\x81\xB5\x37\x01\x01\x01\x30\x82\x01\x3B\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x29\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x69\x6E\x74\x65\x72\x6D\x65\x64\x69\x61\x74\x65\x2E\x70\x64\x66\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x30\x27\x16\x20\x53\x74\x61\x72\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x28\x53\x74\x61\x72\x74\x43\x6F\x6D\x29\x20\x4C\x74\x64\x2E\x30\x03\x02\x01\x01\x1A\x81\x97\x4C\x69\x6D\x69\x74\x65\x64\x20\x4C\x69\x61\x62\x69\x6C\x69\x74\x79\x2C\x20\x72\x65\x61\x64\x20\x74\x68\x65\x20\x73\x65\x63\x74\x69\x6F\x6E\x20\x2A\x4C\x65\x67\x61\x6C\x20\x4C\x69\x6D\x69\x74\x61\x74\x69\x6F\x6E\x73\x2A\x20\x6F\x66\x20\x74\x68\x65\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x50\x6F\x6C\x69\x63\x79\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x38\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x2B\x16\x29\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x46\x72\x65\x65\x20\x53\x53\x4C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x16\x6C\x99\xF4\x66\x0C\x34\xF5\xD0\x85\x5E\x7D\x0A\xEC\xDA\x10\x4E\x38\x1C\x5E\xDF\xA6\x25\x05\x4B\x91\x32\xC1\xE8\x3B\xF1\x3D\xDD\x44\x09\x5B\x07\x49\x8A\x29\xCB\x66\x02\xB7\xB1\x9A\xF7\x25\x98\x09\x3C\x8E\x1B\xE1\xDD\x36\x87\x2B\x4B\xBB\x68\xD3\x39\x66\x3D\xA0\x26\xC7\xF2\x39\x91\x1D\x51\xAB\x82\x7B\x7E\xD5\xCE\x5A\xE4\xE2\x03\x57\x70\x69\x97\x08\xF9\x5E\x58\xA6\x0A\xDF\x8C\x06\x9A\x45\x16\x16\x38\x0A\x5E\x57\xF6\x62\xC7\x7A\x02\x05\xE6\xBC\x1E\xB5\xF2\x9E\xF4\xA9\x29\x83\xF8\xB2\x14\xE3\x6E\x28\x87\x44\xC3\x90\x1A\xDE\x38\xA9\x3C\xAC\x43\x4D\x64\x45\xCE\xDD\x28\xA9\x5C\xF2\x73\x7B\x04\xF8\x17\xE8\xAB\xB1\xF3\x2E\x5C\x64\x6E\x73\x31\x3A\x12\xB8\xBC\xB3\x11\xE4\x7D\x8F\x81\x51\x9A\x3B\x8D\x89\xF4\x4D\x93\x66\x7B\x3C\x03\xED\xD3\x9A\x1D\x9A\xF3\x65\x50\xF5\xA0\xD0\x75\x9F\x2F\xAF\xF0\xEA\x82\x43\x98\xF8\x69\x9C\x89\x79\xC4\x43\x8E\x46\x72\xE3\x64\x36\x12\xAF\xF7\x25\x1E\x38\x89\x90\x77\x7E\xC3\x6B\x6A\xB9\xC3\xCB\x44\x4B\xAC\x78\x90\x8B\xE7\xC7\x2C\x1E\x4B\x11\x44\xC8\x34\x52\x27\xCD\x0A\x5D\x9F\x85\xC1\x89\xD5\x1A\x78\xF2\x95\x10\x53\x32\xDD\x80\x84\x66\x75\xD9\xB5\x68\x28\xFB\x61\x2E\xBE\x84\xA8\x38\xC0\x99\x12\x86\xA5\x1E\x67\x64\xAD\x06\x2E\x2F\xA9\x70\x85\xC7\x96\x0F\x7C\x89\x65\xF5\x8E\x43\x54\x0E\xAB\xDD\xA5\x80\x39\x94\x60\xC0\x34\xC9\x96\x70\x2C\xA3\x12\xF5\x1F\x48\x7B\xBD\x1C\x7E\x6B\xB7\x9D\x90\xF4\x22\x3B\xAE\xF8\xFC\x2A\xCA\xFA\x82\x52\xA0\xEF\xAF\x4B\x55\x93\xEB\xC1\xB5\xF0\x22\x8B\xAC\x34\x4E\x26\x22\x04\xA1\x87\x2C\x75\x4A\xB7\xE5\x7D\x13\xD7\xB8\x0C\x64\xC0\x36\xD2\xC9\x2F\x86\x12\x8C\x23\x09\xC1\x1B\x82\x3B\x73\x49\xA3\x6A\x57\x87\x94\xE5\xD6\x78\xC5\x99\x43\x63\xE3\x4D\xE0\x77\x2D\xE1\x65\x99\x72\x69\x04\x1A\x47\x09\xE6\x0F\x01\x56\x24\xFB\x1F\xBF\x0E\x79\xA9\x58\x2E\xB9\xC4\x09\x01\x7E\x95\xBA\x6D\x00\x06\x3E\xB2\xEA\x4A\x10\x39\xD8\xD0\x2B\xF5\xBF\xEC\x75\xBF\x97\x02\xC5\x09\x1B\x08\xDC\x55\x37\xE2\x81\xFB\x37\x84\x43\x62\x20\xCA\xE7\x56\x4B\x65\xEA\xFE\x6C\xC1\x24\x93\x24\xA1\x34\xEB\x05\xFF\x9A\x22\xAE\x9B\x7D\x3F\xF1\x65\x51\x0A\xA6\x30\x6A\xB3\xF4\x88\x1C\x80\x0D\xFC\x72\x8A\xE8\x83\x5E",
 	["O=Government Root Certification Authority,C=TW"] = "\x30\x82\x05\x72\x30\x82\x03\x5A\xA0\x03\x02\x01\x02\x02\x10\x1F\x9D\x59\x5A\xD7\x2F\xC2\x06\x44\xA5\x80\x08\x69\xE3\x5E\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x17\x0D\x33\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x25\xB8\xEC\xCC\xA2\x75\xA8\x7B\xF7\xCE\x5B\x59\x8A\xC9\xD1\x86\x12\x08\x54\xEC\x9C\xF2\xE7\x46\xF6\x88\xF3\x7C\xE9\xA5\xDF\x4C\x47\x36\xA4\x1B\x01\x1C\x7F\x1E\x57\x8A\x8D\xC3\xC5\xD1\x21\xE3\xDA\x24\x3F\x48\x2B\xFB\x9F\x2E\xA1\x94\xE7\x2C\x1C\x93\xD1\xBF\x1B\x01\x87\x53\x99\xCE\xA7\xF5\x0A\x21\x76\x77\xFF\xA9\xB7\xC6\x73\x94\x4F\x46\xF7\x10\x49\x37\xFA\xA8\x59\x49\x5D\x6A\x81\x07\x56\xF2\x8A\xF9\x06\xD0\xF7\x70\x22\x4D\xB4\xB7\x41\xB9\x32\xB8\xB1\xF0\xB1\xC3\x9C\x3F\x70\xFD\x53\xDD\x81\xAA\xD8\x63\x78\xF6\xD8\x53\x6E\xA1\xAC\x6A\x84\x24\x72\x54\x86\xC6\xD2\xB2\xCA\x1C\x0E\x79\x81\xD6\xB5\x70\x62\x08\x01\x2E\x4E\x4F\x0E\xD5\x11\xAF\xA9\xAF\xE5\x9A\xBF\xDC\xCC\x87\x6D\x26\xE4\xC9\x57\xA2\xFB\x96\xF9\xCC\xE1\x3F\x53\x8C\x6C\x4C\x7E\x9B\x53\x08\x0B\x6C\x17\xFB\x67\xC8\xC2\xAD\xB1\xCD\x80\xB4\x97\xDC\x76\x01\x16\x15\xE9\x6A\xD7\xA4\xE1\x78\x47\xCE\x86\xD5\xFB\x31\xF3\xFA\x31\xBE\x34\xAA\x28\xFB\x70\x4C\x1D\x49\xC7\xAF\x2C\x9D\x6D\x66\xA6\xB6\x8D\x64\x7E\xB5\x20\x6A\x9D\x3B\x81\xB6\x8F\x40\x00\x67\x4B\x89\x86\xB8\xCC\x65\xFE\x15\x53\xE9\x04\xC1\xD6\x5F\x1D\x44\xD7\x0A\x2F\x27\x9A\x46\x7D\xA1\x0D\x75\xAD\x54\x86\x15\xDC\x49\x3B\xF1\x96\xCE\x0F\x9B\xA0\xEC\xA3\x7A\x5D\xBE\xD5\x2A\x75\x42\xE5\x7B\xDE\xA5\xB6\xAA\xAF\x28\xAC\xAC\x90\xAC\x38\xB7\xD5\x68\x35\x26\x7A\xDC\xF7\x3B\xF3\xFD\x45\x9B\xD1\xBB\x43\x78\x6E\x6F\xF1\x42\x54\x6A\x98\xF0\x0D\xAD\x97\xE9\x52\x5E\xE9\xD5\x6A\x72\xDE\x6A\xF7\x1B\x60\x14\xF4\xA5\xE4\xB6\x71\x67\xAA\x1F\xEA\xE2\x4D\xC1\x42\x40\xFE\x67\x46\x17\x38\x2F\x47\x3F\x71\x9C\xAE\xE5\x21\xCA\x61\x2D\x6D\x07\xA8\x84\x7C\x2D\xEE\x51\x25\xF1\x63\x90\x9E\xFD\xE1\x57\x88\x6B\xEF\x8A\x23\x6D\xB1\xE6\xBD\x3F\xAD\xD1\x3D\x96\x0B\x85\x8D\xCD\x6B\x27\xBB\xB7\x05\x9B\xEC\xBB\x91\xA9\x0A\x07\x12\x02\x97\x4E\x20\x90\xF0\xFF\x0D\x1E\xE2\x41\x3B\xD3\x40\x3A\xE7\x8D\x5D\xDA\x66\xE4\x02\xB0\x07\x52\x98\x5C\x0E\x8E\x33\x9C\xC2\xA6\x95\xFB\x55\x19\x6E\x4C\x8E\xAE\x4B\x0F\xBD\xC1\x38\x4D\x5E\x8F\x84\x1D\x66\xCD\xC5\x60\x96\xB4\x52\x5A\x05\x89\x8E\x95\x7A\x98\xC1\x91\x3C\x95\x23\xB2\x0E\xF4\x79\xB4\xC9\x7C\xC1\x4A\x21\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xCC\xEF\xCC\x29\x60\xA4\x3B\xB1\x92\xB6\x3C\xFA\x32\x62\x8F\xAC\x25\x15\x3B\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x03\x9B\xF0\x22\x13\xFF\x95\x28\x36\xD3\xDC\x9E\xC0\x32\xFB\x31\x3A\x8A\x51\x65\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x40\x80\x4A\xFA\x26\xC9\xCE\x5E\x30\xDD\x4F\x86\x74\x76\x58\xF5\xAE\xB3\x83\x33\x78\xA4\x7A\x74\x17\x19\x4E\xE9\x52\xB5\xB9\xE0\x0A\x74\x62\xAA\x68\xCA\x78\xA0\x4C\x9A\x8E\x2C\x23\x2E\xD5\x6A\x12\x24\xBF\xD4\x68\xD3\x8A\xD0\xD8\x9C\x9F\xB4\x1F\x0C\xDE\x38\x7E\x57\x38\xFC\x8D\xE2\x4F\x5E\x0C\x9F\xAB\x3B\xD2\xFF\x75\x97\xCB\xA4\xE3\x67\x08\xFF\xE5\xC0\x16\xB5\x48\x01\x7D\xE9\xF9\x0A\xFF\x1B\xE5\x6A\x69\xBF\x78\x21\xA8\xC2\xA7\x23\xA9\x86\xAB\x76\x56\xE8\x0E\x0C\xF6\x13\xDD\x2A\x66\x8A\x64\x49\x3D\x1A\x18\x87\x90\x04\x9F\x42\x52\xB7\x4F\xCB\xFE\x47\x41\x76\x35\xEF\xFF\x00\x76\x36\x45\x32\x9B\xC6\x46\x85\x5D\xE2\x24\xB0\x1E\xE3\x48\x96\x98\x57\x47\x94\x55\x7A\x0F\x41\xB1\x44\x24\xF3\xC1\xFE\x1A\x6B\xBF\x88\xFD\xC1\xA6\xDA\x93\x60\x5E\x81\x4A\x99\x20\x9C\x48\x66\x19\xB5\x00\x79\x54\x0F\xB8\x2C\x2F\x4B\xBC\xA9\x5D\x5B\x60\x7F\x8C\x87\xA5\xE0\x52\x63\x2A\xBE\xD8\x3B\x85\x40\x15\xFE\x1E\xB6\x65\x3F\xC5\x4B\xDA\x7E\xB5\x7A\x35\x29\xA3\x2E\x7A\x98\x60\x22\xA3\xF4\x7D\x27\x4E\x2D\xEA\xB4\x74\x3C\xE9\x0F\xA4\x33\x0F\x10\x11\xBC\x13\x01\xD6\xE5\x0E\xD3\xBF\xB5\x12\xA2\xE1\x45\x23\xC0\xCC\x08\x6E\x61\xB7\x89\xAB\x83\xE3\x24\x1E\xE6\x5D\x07\xE7\x1F\x20\x3E\xCF\x67\xC8\xE7\xAC\x30\x6D\x27\x4B\x68\x6E\x4B\x2A\x5C\x02\x08\x34\xDB\xF8\x76\xE4\x67\xA3\x26\x9C\x3F\xA2\x32\xC2\x4A\xC5\x81\x18\x31\x10\x56\xAA\x84\xEF\x2D\x0A\xFF\xB8\x1F\x77\xD2\xBF\xA5\x58\xA0\x62\xE4\xD7\x4B\x91\x75\x8D\x89\x80\x98\x7E\x6D\xCB\x53\x4E\x5E\xAF\xF6\xB2\x97\x85\x97\xB9\xDA\x55\x06\xB9\x24\xEE\xD7\xC6\x38\x1E\x63\x1B\x12\x3B\x95\xE1\x58\xAC\xF2\xDF\x84\xD5\x5F\x99\x2F\x0D\x55\x5B\xE6\x38\xDB\x2E\x3F\x72\xE9\x48\x85\xCB\xBB\x29\x13\x8F\x1E\x38\x55\xB9\xF3\xB2\xC4\x30\x99\x23\x4E\x5D\xF2\x48\xA1\x12\x0C\xDC\x12\x90\x09\x90\x54\x91\x03\x3C\x47\xE5\xD5\xC9\x65\xE0\xB7\x4B\x7D\xEC\x47\xD3\xB3\x0B\x3E\xAD\x9E\xD0\x74\x00\x0E\xEB\xBD\x51\xAD\xC0\xDE\x2C\xC0\xC3\x6A\xFE\xEF\xDC\x0B\xA7\xFA\x46\xDF\x60\xDB\x9C\xA6\x59\x50\x75\x23\x69\x73\x93\xB2\xF9\xFC\x02\xD3\x47\xE6\x71\xCE\x10\x02\xEE\x27\x8C\x84\xFF\xAC\x45\x0D\x13\x5C\x83\x32\xE0\x25\xA5\x86\x2C\x7C\xF4\x12",
-	["emailAddress=ca@firmaprofesional.com,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,L=C/ Muntaner 244 Barcelona,C=ES"] = "\x30\x82\x04\x57\x30\x82\x03\x3F\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x9D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x22\x30\x20\x06\x03\x55\x04\x07\x13\x19\x43\x2F\x20\x4D\x75\x6E\x74\x61\x6E\x65\x72\x20\x32\x34\x34\x20\x42\x61\x72\x63\x65\x6C\x6F\x6E\x61\x31\x42\x30\x40\x06\x03\x55\x04\x03\x13\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x61\x40\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x1E\x17\x0D\x30\x31\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x17\x0D\x31\x33\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x30\x81\x9D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x22\x30\x20\x06\x03\x55\x04\x07\x13\x19\x43\x2F\x20\x4D\x75\x6E\x74\x61\x6E\x65\x72\x20\x32\x34\x34\x20\x42\x61\x72\x63\x65\x6C\x6F\x6E\x61\x31\x42\x30\x40\x06\x03\x55\x04\x03\x13\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x61\x40\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE7\x23\x03\x6F\x6F\x23\xA5\x5E\x78\xCE\x95\x2C\xED\x94\x1E\x6E\x0A\x9E\x01\xC7\xEA\x30\xD1\x2C\x9D\xDD\x37\xE8\x9B\x98\x79\x56\xD3\xFC\x73\xDF\xD0\x8A\xDE\x55\x8F\x51\xF9\x5A\xEA\xDE\xB5\x70\xC4\xED\xA4\xED\xFF\xA3\x0D\x6E\x0F\x64\x50\x31\xAF\x01\x27\x58\xAE\xFE\x6C\xA7\x4A\x2F\x17\x2D\xD3\x73\xD5\x13\x1C\x8F\x59\xA5\x34\x2C\x1D\x54\x04\x45\xCD\x68\xB8\xA0\xC0\x03\xA5\xCF\x85\x42\x47\x95\x28\x5B\xCF\xEF\x80\x6C\xE0\x90\x97\x8A\x01\x3C\x1D\xF3\x87\x10\x30\x26\x48\x7D\xD7\xFC\xE9\x9D\x91\x71\xFF\x41\x9A\xA9\x40\xB5\x37\x9C\x29\x20\x4F\x1F\x52\xE3\xA0\x7D\x13\x6D\x54\xB7\x0A\xDE\xE9\x6A\x4E\x07\xAC\xAC\x19\x5F\xDC\x7E\x62\x74\xF6\xB2\x05\x00\xBA\x85\xA0\xFD\x1D\x38\x6E\xCB\x5A\xBB\x86\xBC\x94\x67\x33\x35\x83\x2C\x1F\x23\xCD\xF8\xC8\x91\x71\xCC\x97\x8B\xEF\xAE\x0F\xDC\x29\x03\x1B\xC0\x39\xEB\x70\xED\xC1\x6E\x0E\xD8\x67\x0B\x89\xA9\xBC\x35\xE4\xEF\xB6\x34\xB4\xA5\xB6\xC4\x2D\xA5\xBE\xD0\xC3\x94\x24\x48\xDB\xDF\x96\xD3\x00\xB5\x66\x1A\x8B\x66\x05\x0F\xDD\x3F\x3F\xCB\x3F\xAA\x5E\x9A\x4A\xF8\xB4\x4A\xEF\x95\x37\x1B\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x86\x1F\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x31\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x81\x0F\x32\x30\x31\x33\x31\x30\x32\x34\x32\x32\x30\x30\x30\x30\x5A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x33\x0B\xA0\x66\xD1\xEA\xDA\xCE\xDE\x62\x93\x04\x28\x52\xB5\x14\x7F\x38\x68\xB7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x47\x73\xFE\x8D\x27\x54\xF0\xF5\xD4\x77\x9C\x27\x79\x57\x57\xB7\x15\x56\xEC\xC7\xD8\x58\xB7\x01\x02\xF4\x33\xED\x93\x50\x88\x9E\x7C\x46\xB1\xBD\x3F\x14\x6F\xF1\xB3\x47\x48\x8B\x8C\x97\x06\xD7\xEA\x7E\xA3\x5C\x2A\xBB\x4D\x2F\x47\xE2\xF8\x39\x06\xC9\x9C\x2E\x31\x1A\x03\x78\xF4\xBC\x38\xC6\x22\x8B\x33\x31\xF0\x16\x04\x04\x7D\xF9\x76\xE4\x4B\xD7\xC0\xE6\x83\xEC\x59\xCC\x3F\xDE\xFF\x4F\x6B\xB7\x67\x7E\xA6\x86\x81\x32\x23\x03\x9D\xC8\xF7\x5F\xC1\x4A\x60\xA5\x92\xA9\xB1\xA4\xA0\x60\xC3\x78\x87\xB3\x22\xF3\x2A\xEB\x5B\xA9\xED\x05\xAB\x37\x0F\xB1\xE2\xD3\x95\x76\x63\x56\x74\x8C\x58\x72\x1B\x37\xE5\x64\xA1\xBE\x4D\x0C\x93\x98\x0C\x97\xF6\x87\x6D\xB3\x3F\xE7\xCB\x80\xA6\xED\x88\xC7\x5F\x50\x62\x02\xE8\x99\x74\x16\xD0\xE6\xB4\x39\xF1\x27\xCB\xC8\x40\xD6\xE3\x86\x10\xA9\x23\x12\x92\xE0\x69\x41\x63\xA7\xAF\x25\x0B\xC0\xC5\x92\xCB\x1E\x98\xA3\x5A\xBA\xC5\x33\x0F\xA0\x97\x01\xDD\x7F\xE0\x7B\xD6\x06\x54\xCF\xA1\xE2\x4D\x38\xEB\x4B\x50\xB5\xCB\x26\xF4\xCA\xDA\x70\x4A\x6A\xA1\xE2\x79\xAA\xE1\xA7\x33\xF6\xFD\x4A\x1F\xF6\xD9\x60",
-	["CN=Wells Fargo Root Certificate Authority,OU=Wells Fargo Certification Authority,O=Wells Fargo,C=US"] = "\x30\x82\x03\xE5\x30\x82\x02\xCD\xA0\x03\x02\x01\x02\x02\x04\x39\xE4\x97\x9E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x31\x2C\x30\x2A\x06\x03\x55\x04\x0B\x13\x23\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2F\x30\x2D\x06\x03\x55\x04\x03\x13\x26\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x30\x31\x30\x31\x31\x31\x36\x34\x31\x32\x38\x5A\x17\x0D\x32\x31\x30\x31\x31\x34\x31\x36\x34\x31\x32\x38\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x31\x2C\x30\x2A\x06\x03\x55\x04\x0B\x13\x23\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2F\x30\x2D\x06\x03\x55\x04\x03\x13\x26\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD5\xA8\x33\x3B\x26\xF9\x34\xFF\xCD\x9B\x7E\xE5\x04\x47\xCE\x00\xE2\x7D\x77\xE7\x31\xC2\x2E\x27\xA5\x4D\x68\xB9\x31\xBA\x8D\x43\x59\x97\xC7\x73\xAA\x7F\x3D\x5C\x40\x9E\x05\xE5\xA1\xE2\x89\xD9\x4C\xB8\x3F\x9B\xF9\x0C\xB4\xC8\x62\x19\x2C\x45\xAE\x91\x1E\x73\x71\x41\xC4\x4B\x13\xFD\x70\xC2\x25\xAC\x22\xF5\x75\x0B\xB7\x53\xE4\xA5\x2B\xDD\xCE\xBD\x1C\x3A\x7A\xC3\xF7\x13\x8F\x26\x54\x9C\x16\x6B\x6B\xAF\xFB\xD8\x96\xB1\x60\x9A\x48\xE0\x25\x22\x24\x79\x34\xCE\x0E\x26\x00\x0B\x4E\xAB\xFD\x8B\xCE\x82\xD7\x2F\x08\x70\x68\xC1\xA8\x0A\xF9\x74\x4F\x07\xAB\xA4\xF9\xE2\x83\x7E\x27\x73\x74\x3E\xB8\xF9\x38\x42\xFC\xA5\xA8\x5B\x48\x23\xB3\xEB\xE3\x25\xB2\x80\xAE\x96\xD4\x0A\x9C\xC2\x78\x9A\xC6\x68\x18\xAE\x37\x62\x37\x5E\x51\x75\xA8\x58\x63\xC0\x51\xEE\x40\x78\x7E\xA8\xAF\x1A\xA0\xE1\xB0\x78\x9D\x50\x8C\x7B\xE7\xB3\xFC\x8E\x23\xB0\xDB\x65\x00\x70\x84\x01\x08\x00\x14\x6E\x54\x86\x9A\xBA\xCC\xF9\x37\x10\xF6\xE0\xDE\x84\x2D\x9D\xA4\x85\x37\xD3\x87\xE3\x15\xD0\xC1\x17\x90\x7E\x19\x21\x6A\x12\xA9\x76\xFD\x12\x02\xE9\x4F\x21\x5E\x17\x02\x03\x01\x00\x01\xA3\x61\x30\x5F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x4C\x06\x03\x55\x1D\x20\x04\x45\x30\x43\x30\x41\x06\x0B\x60\x86\x48\x01\x86\xFB\x7B\x87\x07\x01\x0B\x30\x32\x30\x30\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x63\x65\x72\x74\x70\x6F\x6C\x69\x63\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD2\x27\xDD\x9C\x0A\x77\x2B\xBB\x22\xF2\x02\xB5\x4A\x4A\x91\xF9\xD1\x2D\xBE\xE4\xBB\x1A\x68\xEF\x0E\xA4\x00\xE9\xEE\xE7\xEF\xEE\xF6\xF9\xE5\x74\xA4\xC2\xD8\x52\x58\xC4\x74\xFB\xCE\x6B\xB5\x3B\x29\x79\x18\x5A\xEF\x9B\xED\x1F\x6B\x36\xEE\x48\x25\x25\x14\xB6\x56\xA2\x10\xE8\xEE\xA7\x7F\xD0\x3F\xA3\xD0\xC3\x5D\x26\xEE\x07\xCC\xC3\xC1\x24\x21\x87\x1E\xDF\x2A\x12\x53\x6F\x41\x16\xE7\xED\xAE\x94\xFA\x8C\x72\xFA\x13\x47\xF0\x3C\x7E\xAE\x7D\x11\x3A\x13\xEC\xED\xFA\x6F\x72\x64\x7B\x9D\x7D\x7F\x26\xFD\x7A\xFB\x25\xAD\xEA\x3E\x29\x7F\x4C\xE3\x00\x57\x32\xB0\xB3\xE9\xED\x53\x17\xD9\x8B\xB2\x14\x0E\x30\xE8\xE5\xD5\x13\xC6\x64\xAF\xC4\x00\xD5\xD8\x58\x24\xFC\xF5\x8F\xEC\xF1\xC7\x7D\xA5\xDB\x0F\x27\xD1\xC6\xF2\x40\x88\xE6\x1F\xF6\x61\xA8\xF4\x42\xC8\xB9\x37\xD3\xA9\xBE\x2C\x56\x78\xC2\x72\x9B\x59\x5D\x35\x40\x8A\xE8\x4E\x63\x1A\xB6\xE9\x20\x6A\x51\xE2\xCE\xA4\x90\xDF\x76\x70\x99\x5C\x70\x43\x4D\xB7\xB6\xA7\x19\x64\x4E\x92\xB7\xC5\x91\x3C\x7F\x48\x16\x65\x7B\x16\xFD\xCB\xFC\xFB\xD9\xD5\xD6\x4F\x21\x65\x3B\x4A\x7F\x47\xA3\xFB",
 	["CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x5C\x0B\x85\x5C\x0B\xE7\x59\x41\xDF\x57\xCC\x3F\x7F\x9D\xA8\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x38\x31\x32\x30\x36\x32\x30\x5A\x17\x0D\x32\x35\x30\x38\x31\x38\x32\x32\x30\x36\x32\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\xB9\xB0\xA8\x0C\xD9\xBB\x3F\x21\xF8\x1B\xD5\x33\x93\x80\x16\x65\x20\x75\xB2\x3D\x9B\x60\x6D\x46\xC8\x8C\x31\x6F\x17\xC3\xFA\x9A\x6C\x56\xED\x3C\xC5\x91\x57\xC3\xCD\xAB\x96\x49\x90\x2A\x19\x4B\x1E\xA3\x6D\x57\xDD\xF1\x2B\x62\x28\x75\x45\x5E\xAA\xD6\x5B\xFA\x0B\x25\xD8\xA1\x16\xF9\x1C\xC4\x2E\xE6\x95\x2A\x67\xCC\xD0\x29\x6E\x3C\x85\x34\x38\x61\x49\xB1\x00\x9F\xD6\x3A\x71\x5F\x4D\x6D\xCE\x5F\xB9\xA9\xE4\x89\x7F\x6A\x52\xFA\xCA\x9B\xF2\xDC\xA9\xF9\x9D\x99\x47\x3F\x4E\x29\x5F\xB4\xA6\x8D\x5D\x7B\x0B\x99\x11\x03\x03\xFE\xE7\xDB\xDB\xA3\xFF\x1D\xA5\xCD\x90\x1E\x01\x1F\x35\xB0\x7F\x00\xDB\x90\x6F\xC6\x7E\x7B\xD1\xEE\x7A\x7A\xA7\xAA\x0C\x57\x6F\xA4\x6D\xC5\x13\x3B\xB0\xA5\xD9\xED\x32\x1C\xB4\x5E\x67\x8B\x54\xDC\x73\x87\xE5\xD3\x17\x7C\x66\x50\x72\x5D\xD4\x1A\x58\xC1\xD9\xCF\xD8\x89\x02\x6F\xA7\x49\xB4\x36\x5D\xD0\xA4\xDE\x07\x2C\xB6\x75\xB7\x28\x91\xD6\x97\xBE\x28\xF5\x98\x1E\xEA\x5B\x26\xC9\xBD\xB0\x97\x73\xDA\xAE\x91\x26\xEB\x68\xC1\xF9\x39\x15\xD6\x67\x4B\x0A\x6D\x4F\xCB\xCF\xB0\xE4\x42\x71\x8C\x53\x79\xE7\xEE\xE1\xDB\x1D\xA0\x6E\x1D\x8C\x1A\x77\x35\x5C\x16\x1E\x2B\x53\x1F\x34\x8B\xD1\x6C\xFC\xF2\x67\x07\x7A\xF5\xAD\xED\xD6\x9A\xAB\xA1\xB1\x4B\xE1\xCC\x37\x5F\xFD\x7F\xCD\x4D\xAE\xB8\x1F\x9C\x43\xF9\x2A\x58\x55\x43\x45\xBC\x96\xCD\x70\x0E\xFC\xC9\xE3\x66\xBA\x4E\x8D\x3B\x81\xCB\x15\x64\x7B\xB9\x94\xE8\x5D\x33\x52\x85\x71\x2E\x4F\x8E\xA2\x06\x11\x51\xC9\xE3\xCB\xA1\x6E\x31\x08\x64\x0C\xC2\xD2\x3C\xF5\x36\xE8\xD7\xD0\x0E\x78\x23\x20\x91\xC9\x24\x2A\x65\x29\x5B\x22\xF7\x21\xCE\x83\x5E\xA4\xF3\xDE\x4B\xD3\x68\x8F\x46\x75\x5C\x83\x09\x6E\x29\x6B\xC4\x70\x8C\xF5\x9D\xD7\x20\x2F\xFF\x46\xD2\x2B\x38\xC2\x2F\x75\x1C\x3D\x7E\xDA\xA5\xEF\x1E\x60\x85\x69\x42\xD3\xCC\xF8\x63\xFE\x1E\x43\x39\x85\xA6\xB6\x63\x41\x10\xB3\x73\x1E\xBC\xD3\xFA\xCA\x7D\x16\x47\xE2\xA7\xD5\xD0\xA3\x8A\x0A\x08\x96\x62\x56\x6E\x34\xDB\xD9\x02\xB9\x30\x75\xE3\x04\xD2\xE7\x8F\xC2\xB0\x11\x40\x0A\xAC\xD5\x71\x02\x62\x8B\x31\xBE\xDD\xC6\x23\x58\x31\x42\x43\x2D\x74\xF9\xC6\x9E\xA6\x8A\x0F\xE9\xFE\xBF\x83\xE6\x43\x57\x24\xBA\xEF\x46\x34\xAA\xD7\x12\x01\x38\xED\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x00\x01\x06\x07\x60\x85\x74\x01\x53\x00\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x35\x10\xCB\xEC\xA6\x04\x0D\x0D\x0F\xCD\xC0\xDB\xAB\xA8\xF2\x88\x97\x0C\xDF\x93\x2F\x4D\x7C\x40\x56\x31\x7A\xEB\xA4\x0F\x60\xCD\x7A\xF3\xBE\xC3\x27\x8E\x03\x3E\xA4\xDD\x12\xEF\x7E\x1E\x74\x06\x3C\x3F\x31\xF2\x1C\x7B\x91\x31\x21\xB4\xF0\xD0\x6C\x97\xD4\xE9\x97\xB2\x24\x56\x1E\x56\xC3\x35\xBD\x88\x05\x0F\x5B\x10\x1A\x64\xE1\xC7\x82\x30\xF9\x32\xAD\x9E\x50\x2C\xE7\x78\x05\xD0\x31\xB1\x5A\x98\x8A\x75\x4E\x90\x5C\x6A\x14\x2A\xE0\x52\x47\x82\x60\xE6\x1E\xDA\x81\xB1\xFB\x14\x0B\x5A\xF1\x9F\xD2\x95\xBA\x3E\xD0\x1B\xD6\x15\x1D\xA3\xBE\x86\xD5\xDB\x0F\xC0\x49\x64\xBB\x2E\x50\x19\x4B\xD2\x24\xF8\xDD\x1E\x07\x56\xD0\x38\xA0\x95\x70\x20\x76\x8C\xD7\xDD\x1E\xDE\x9F\x71\xC4\x23\xEF\x83\x13\x5C\xA3\x24\x15\x4D\x29\x40\x3C\x6A\xC4\xA9\xD8\xB7\xA6\x44\xA5\x0D\xF4\xE0\x9D\x77\x1E\x40\x70\x26\xFC\xDA\xD9\x36\xE4\x79\xE4\xB5\x3F\xBC\x9B\x65\xBE\xBB\x11\x96\xCF\xDB\xC6\x28\x39\x3A\x08\xCE\x47\x5B\x53\x5A\xC5\x99\xFE\x5D\xA9\xDD\xEF\x4C\xD4\xC6\xA5\xAD\x02\xE6\x8C\x07\x12\x1E\x6F\x03\xD1\x6F\xA0\xA3\xF3\x29\xBD\x12\xC7\x50\xA2\xB0\x7F\x88\xA9\x99\x77\x9A\xB1\xC0\xA5\x39\x2E\x5C\x7C\x69\xE2\x2C\xB0\xEA\x37\x6A\xA4\xE1\x5A\xE1\xF5\x50\xE5\x83\xEF\xA5\xBB\x2A\x88\xE7\x8C\xDB\xFD\x6D\x5E\x97\x19\xA8\x7E\x66\x75\x6B\x71\xEA\xBF\xB1\xC7\x6F\xA0\xF4\x8E\xA4\xEC\x34\x51\x5B\x8C\x26\x03\x70\xA1\x77\xD5\x01\x12\x57\x00\x35\xDB\x23\xDE\x0E\x8A\x28\x99\xFD\xB1\x10\x6F\x4B\xFF\x38\x2D\x60\x4E\x2C\x9C\xEB\x67\xB5\xAD\x49\xEE\x4B\x1F\xAC\xAF\xFB\x0D\x90\x5A\x66\x60\x70\x5D\xAA\xCD\x78\xD4\x24\xEE\xC8\x41\xA0\x93\x01\x92\x9C\x6A\x9E\xFC\xB9\x24\xC5\xB3\x15\x82\x7E\xBE\xAE\x95\x2B\xEB\xB1\xC0\xDA\xE3\x01\x60\x0B\x5E\x69\xAC\x84\x56\x61\xBE\x71\x17\xFE\x1D\x13\x0F\xFE\xC6\x87\x45\xE9\xFE\x32\xA0\x1A\x0D\x13\xA4\x94\x55\x71\xA5\x16\x8B\xBA\xCA\x89\xB0\xB2\xC7\xFC\x8F\xD8\x54\xB5\x93\x62\x9D\xCE\xCF\x59\xFB\x3D\x18\xCE\x2A\xCB\x35\x15\x82\x5D\xFF\x54\x22\x5B\x71\x52\xFB\xB7\xC9\xFE\x60\x9B\x00\x41\x64\xF0\xAA\x2A\xEC\xB6\x42\x43\xCE\x89\x66\x81\xC8\x8B\x9F\x39\x54\x03\x25\xD3\x16\x35\x8E\x84\xD0\x5F\xFA\x30\x1A\xF5\x9A\x6C\xF4\x0E\x53\xF9\x3A\x5B\xD1\x1C",
 	["CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xB7\x30\x82\x02\x9F\xA0\x03\x02\x01\x02\x02\x10\x0C\xE7\xE0\xE5\x17\xD8\x46\xFE\x8F\xE5\x60\xFC\x1B\xF0\x30\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x0E\x15\xCE\xE4\x43\x80\x5C\xB1\x87\xF3\xB7\x60\xF9\x71\x12\xA5\xAE\xDC\x26\x94\x88\xAA\xF4\xCE\xF5\x20\x39\x28\x58\x60\x0C\xF8\x80\xDA\xA9\x15\x95\x32\x61\x3C\xB5\xB1\x28\x84\x8A\x8A\xDC\x9F\x0A\x0C\x83\x17\x7A\x8F\x90\xAC\x8A\xE7\x79\x53\x5C\x31\x84\x2A\xF6\x0F\x98\x32\x36\x76\xCC\xDE\xDD\x3C\xA8\xA2\xEF\x6A\xFB\x21\xF2\x52\x61\xDF\x9F\x20\xD7\x1F\xE2\xB1\xD9\xFE\x18\x64\xD2\x12\x5B\x5F\xF9\x58\x18\x35\xBC\x47\xCD\xA1\x36\xF9\x6B\x7F\xD4\xB0\x38\x3E\xC1\x1B\xC3\x8C\x33\xD9\xD8\x2F\x18\xFE\x28\x0F\xB3\xA7\x83\xD6\xC3\x6E\x44\xC0\x61\x35\x96\x16\xFE\x59\x9C\x8B\x76\x6D\xD7\xF1\xA2\x4B\x0D\x2B\xFF\x0B\x72\xDA\x9E\x60\xD0\x8E\x90\x35\xC6\x78\x55\x87\x20\xA1\xCF\xE5\x6D\x0A\xC8\x49\x7C\x31\x98\x33\x6C\x22\xE9\x87\xD0\x32\x5A\xA2\xBA\x13\x82\x11\xED\x39\x17\x9D\x99\x3A\x72\xA1\xE6\xFA\xA4\xD9\xD5\x17\x31\x75\xAE\x85\x7D\x22\xAE\x3F\x01\x46\x86\xF6\x28\x79\xC8\xB1\xDA\xE4\x57\x17\xC4\x7E\x1C\x0E\xB0\xB4\x92\xA6\x56\xB3\xBD\xB2\x97\xED\xAA\xA7\xF0\xB7\xC5\xA8\x3F\x95\x16\xD0\xFF\xA1\x96\xEB\x08\x5F\x18\x77\x4F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA2\x0E\xBC\xDF\xE2\xED\xF0\xE3\x72\x73\x7A\x64\x94\xBF\xF7\x72\x66\xD8\x32\xE4\x42\x75\x62\xAE\x87\xEB\xF2\xD5\xD9\xDE\x56\xB3\x9F\xCC\xCE\x14\x28\xB9\x0D\x97\x60\x5C\x12\x4C\x58\xE4\xD3\x3D\x83\x49\x45\x58\x97\x35\x69\x1A\xA8\x47\xEA\x56\xC6\x79\xAB\x12\xD8\x67\x81\x84\xDF\x7F\x09\x3C\x94\xE6\xB8\x26\x2C\x20\xBD\x3D\xB3\x28\x89\xF7\x5F\xFF\x22\xE2\x97\x84\x1F\xE9\x65\xEF\x87\xE0\xDF\xC1\x67\x49\xB3\x5D\xEB\xB2\x09\x2A\xEB\x26\xED\x78\xBE\x7D\x3F\x2B\xF3\xB7\x26\x35\x6D\x5F\x89\x01\xB6\x49\x5B\x9F\x01\x05\x9B\xAB\x3D\x25\xC1\xCC\xB6\x7F\xC2\xF1\x6F\x86\xC6\xFA\x64\x68\xEB\x81\x2D\x94\xEB\x42\xB7\xFA\x8C\x1E\xDD\x62\xF1\xBE\x50\x67\xB7\x6C\xBD\xF3\xF1\x1F\x6B\x0C\x36\x07\x16\x7F\x37\x7C\xA9\x5B\x6D\x7A\xF1\x12\x46\x60\x83\xD7\x27\x04\xBE\x4B\xCE\x97\xBE\xC3\x67\x2A\x68\x11\xDF\x80\xE7\x0C\x33\x66\xBF\x13\x0D\x14\x6E\xF3\x7F\x1F\x63\x10\x1E\xFA\x8D\x1B\x25\x6D\x6C\x8F\xA5\xB7\x61\x01\xB1\xD2\xA3\x26\xA1\x10\x71\x9D\xAD\xE2\xC3\xF9\xC3\x99\x51\xB7\x2B\x07\x08\xCE\x2E\xE6\x50\xB2\xA7\xFA\x0A\x45\x2F\xA2\xF0\xF2",
 	["CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xAF\x30\x82\x02\x97\xA0\x03\x02\x01\x02\x02\x10\x08\x3B\xE0\x56\x90\x42\x46\xB1\xA1\x75\x6A\xC9\x59\x91\xC7\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE2\x3B\xE1\x11\x72\xDE\xA8\xA4\xD3\xA3\x57\xAA\x50\xA2\x8F\x0B\x77\x90\xC9\xA2\xA5\xEE\x12\xCE\x96\x5B\x01\x09\x20\xCC\x01\x93\xA7\x4E\x30\xB7\x53\xF7\x43\xC4\x69\x00\x57\x9D\xE2\x8D\x22\xDD\x87\x06\x40\x00\x81\x09\xCE\xCE\x1B\x83\xBF\xDF\xCD\x3B\x71\x46\xE2\xD6\x66\xC7\x05\xB3\x76\x27\x16\x8F\x7B\x9E\x1E\x95\x7D\xEE\xB7\x48\xA3\x08\xDA\xD6\xAF\x7A\x0C\x39\x06\x65\x7F\x4A\x5D\x1F\xBC\x17\xF8\xAB\xBE\xEE\x28\xD7\x74\x7F\x7A\x78\x99\x59\x85\x68\x6E\x5C\x23\x32\x4B\xBF\x4E\xC0\xE8\x5A\x6D\xE3\x70\xBF\x77\x10\xBF\xFC\x01\xF6\x85\xD9\xA8\x44\x10\x58\x32\xA9\x75\x18\xD5\xD1\xA2\xBE\x47\xE2\x27\x6A\xF4\x9A\x33\xF8\x49\x08\x60\x8B\xD4\x5F\xB4\x3A\x84\xBF\xA1\xAA\x4A\x4C\x7D\x3E\xCF\x4F\x5F\x6C\x76\x5E\xA0\x4B\x37\x91\x9E\xDC\x22\xE6\x6D\xCE\x14\x1A\x8E\x6A\xCB\xFE\xCD\xB3\x14\x64\x17\xC7\x5B\x29\x9E\x32\xBF\xF2\xEE\xFA\xD3\x0B\x42\xD4\xAB\xB7\x41\x32\xDA\x0C\xD4\xEF\xF8\x81\xD5\xBB\x8D\x58\x3F\xB5\x1B\xE8\x49\x28\xA2\x70\xDA\x31\x04\xDD\xF7\xB2\x16\xF2\x4C\x0A\x4E\x07\xA8\xED\x4A\x3D\x5E\xB5\x7F\xA3\x90\xC3\xAF\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xCB\x9C\x37\xAA\x48\x13\x12\x0A\xFA\xDD\x44\x9C\x4F\x52\xB0\xF4\xDF\xAE\x04\xF5\x79\x79\x08\xA3\x24\x18\xFC\x4B\x2B\x84\xC0\x2D\xB9\xD5\xC7\xFE\xF4\xC1\x1F\x58\xCB\xB8\x6D\x9C\x7A\x74\xE7\x98\x29\xAB\x11\xB5\xE3\x70\xA0\xA1\xCD\x4C\x88\x99\x93\x8C\x91\x70\xE2\xAB\x0F\x1C\xBE\x93\xA9\xFF\x63\xD5\xE4\x07\x60\xD3\xA3\xBF\x9D\x5B\x09\xF1\xD5\x8E\xE3\x53\xF4\x8E\x63\xFA\x3F\xA7\xDB\xB4\x66\xDF\x62\x66\xD6\xD1\x6E\x41\x8D\xF2\x2D\xB5\xEA\x77\x4A\x9F\x9D\x58\xE2\x2B\x59\xC0\x40\x23\xED\x2D\x28\x82\x45\x3E\x79\x54\x92\x26\x98\xE0\x80\x48\xA8\x37\xEF\xF0\xD6\x79\x60\x16\xDE\xAC\xE8\x0E\xCD\x6E\xAC\x44\x17\x38\x2F\x49\xDA\xE1\x45\x3E\x2A\xB9\x36\x53\xCF\x3A\x50\x06\xF7\x2E\xE8\xC4\x57\x49\x6C\x61\x21\x18\xD5\x04\xAD\x78\x3C\x2C\x3A\x80\x6B\xA7\xEB\xAF\x15\x14\xE9\xD8\x89\xC1\xB9\x38\x6C\xE2\x91\x6C\x8A\xFF\x64\xB9\x77\x25\x57\x30\xC0\x1B\x24\xA3\xE1\xDC\xE9\xDF\x47\x7C\xB5\xB4\x24\x08\x05\x30\xEC\x2D\xBD\x0B\xBF\x45\xBF\x50\xB9\xA9\xF3\xEB\x98\x01\x12\xAD\xC8\x88\xC6\x98\x34\x5F\x8D\x0A\x3C\xC6\xE9\xD5\x95\x95\x6D\xDE",
@@ -158,4 +149,10 @@ redef root_certs += {
 	["CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xE0\x30\x82\x03\xC8\xA0\x03\x02\x01\x02\x02\x11\x00\xF2\xFA\x64\xE2\x74\x63\xD3\x8D\xFD\x10\x1D\x04\x1F\x76\xCA\x58\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x31\x30\x36\x32\x34\x30\x39\x34\x35\x30\x38\x5A\x17\x0D\x33\x31\x30\x36\x32\x35\x30\x38\x34\x35\x30\x38\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF7\x1D\x2F\x57\xEA\x57\x6C\xF7\x70\x5D\x63\xB0\x71\x52\x09\x60\x44\x28\x33\xA3\x7A\x4E\x0A\xFA\xD8\xEA\x6C\x8B\x51\x16\x1A\x55\xAE\x54\x26\xC4\xCC\x45\x07\x41\x4F\x10\x79\x7F\x71\xD2\x7A\x4E\x3F\x38\x4E\xB3\x00\xC6\x95\xCA\x5B\xCD\xC1\x2A\x83\xD7\x27\x1F\x31\x0E\x23\x16\xB7\x25\xCB\x1C\xB4\xB9\x80\x32\x5E\x1A\x9D\x93\xF1\xE8\x3C\x60\x2C\xA7\x5E\x57\x19\x58\x51\x5E\xBC\x2C\x56\x0B\xB8\xD8\xEF\x8B\x82\xB4\x3C\xB8\xC2\x24\xA8\x13\xC7\xA0\x21\x36\x1B\x7A\x57\x29\x28\xA7\x2E\xBF\x71\x25\x90\xF3\x44\x83\x69\x50\xA4\xE4\xE1\x1B\x62\x19\x94\x09\xA3\xF3\xC3\xBC\xEF\xF4\xBD\xEC\xDB\x13\x9D\xCF\x9D\x48\x09\x52\x67\xC0\x37\x29\x11\x1E\xFB\xD2\x11\xA7\x85\x18\x74\x79\xE4\x4F\x85\x14\xEB\x52\x37\xE2\xB1\x45\xD8\xCC\x0D\x43\x7F\xAE\x13\xD2\x6B\x2B\x3F\xA7\xC2\xE2\xA8\x6D\x76\x5B\x43\x9F\xBE\xB4\x9D\xB3\x26\x86\x3B\x1F\x7F\xE5\xF2\xE8\x66\x28\x16\x25\xD0\x4B\x97\x38\xA7\xE4\xCF\x09\xD1\x36\xC3\x0B\xBE\xDA\x3B\x44\x58\x8D\xBE\xF1\x9E\x09\x6B\x3E\xF3\x32\xC7\x2B\x87\xC6\xEC\x5E\x9C\xF6\x87\x65\xAD\x33\x29\xC4\x2F\x89\xD9\xB9\xCB\xC9\x03\x9D\xFB\x6C\x94\x51\x97\x10\x1B\x86\x0B\x1A\x1B\x3F\xF6\x02\x7E\x7B\xD4\xC5\x51\x64\x28\x9D\xF5\xD3\xAC\x83\x81\x88\xD3\x74\xB4\x59\x9D\xC1\xEB\x61\x33\x5A\x45\xD1\xCB\x39\xD0\x06\x6A\x53\x60\x1D\xAF\xF6\xFB\x69\xBC\x6A\xDC\x01\xCF\xBD\xF9\x8F\xD9\xBD\x5B\xC1\x3A\x5F\x8E\xDA\x0F\x4B\xA9\x9B\x9D\x2A\x28\x6B\x1A\x0A\x7C\x3C\xAB\x22\x0B\xE5\x77\x2D\x71\xF6\x82\x35\x81\xAE\xF8\x7B\x81\xE6\xEA\xFE\xAC\xF4\x1A\x9B\x74\x5C\xE8\x8F\x24\xF6\x5D\x9D\x46\xC4\x2C\xD2\x1E\x2B\x21\x6A\x83\x27\x67\x55\x4A\xA4\xE3\xC8\x32\x97\x66\x90\x72\xDA\xE3\xD4\x64\x2E\x5F\xE3\xA1\x6A\xF6\x60\xD4\xE7\x35\xCD\xCA\xC4\x68\x8D\xD7\x71\xC8\xD3\x24\x33\x73\xB1\x6C\xF9\x6A\xE1\x28\xDB\x5F\xC6\x3D\xE8\xBE\x55\xE6\x37\x1B\xED\x24\xD9\x0F\x19\x8F\x5F\x63\x18\x58\x50\x81\x51\x65\x6F\xF2\x9F\x7E\x6A\x04\xE7\x34\x24\x71\xBA\x76\x4B\x58\x1E\x19\xBD\x15\x60\x45\xAA\x0C\x12\x40\x01\x9D\x10\xE2\xC7\x38\x07\x72\x0A\x65\xC0\xB6\xBB\x25\x29\xDA\x16\x9E\x8B\x35\x8B\x61\xED\xE5\x71\x57\x83\xB5\x3C\x71\x9F\xE3\x4F\xBF\x7E\x1E\x81\x9F\x41\x97\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x02\x02\x06\x07\x60\x85\x74\x01\x53\x02\x02\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x94\x3A\x73\x06\x9F\x52\x4B\x30\x5C\xD4\xFE\xB1\x5C\x25\xF9\xD7\x8E\x6F\xF5\x87\x64\x9F\xED\x14\x8E\xB8\x04\x8E\x28\x4B\x8F\xAA\x7B\x8E\x39\xB4\xD9\x58\xF6\x7B\xA1\x35\x0A\xA1\x9D\x8A\xF7\x63\xE5\xEB\xBD\x39\x82\xD4\xE3\x7A\x2D\x6F\xDF\x13\x3C\xBA\xFE\x7E\x56\x98\x0B\xF3\x54\x9F\xCD\x44\x4E\x6E\x3C\xE1\x3E\x15\xBF\x06\x26\x9D\xE4\xF0\x90\xB6\xD4\xC2\x9E\x30\x2E\x1F\xEF\xC7\x7A\xC4\x50\xC7\xEA\x7B\xDA\x50\xCB\x7A\x26\xCB\x00\xB4\x5A\xAB\xB5\x93\x1F\x80\x89\x84\x04\x95\x8D\x8D\x7F\x09\x93\xBF\xD4\xA8\xA8\xE4\x63\x6D\xD9\x64\xE4\xB8\x29\x5A\x08\xBF\x50\xE1\x84\x0F\x55\x7B\x5F\x08\x22\x1B\xF5\xBD\x99\x1E\x14\xF6\xCE\xF4\x58\x10\x82\xB3\x0A\x3D\x19\xC1\xBF\x5B\xAB\xAA\x99\xD8\xF2\x31\xBD\xE5\x38\x66\xDC\x58\x05\xC7\xED\x63\x1A\x2E\x0A\x97\x7C\x87\x93\x2B\xB2\x8A\xE3\xF1\xEC\x18\xE5\x75\xB6\x29\x87\xE7\xDC\x8B\x1A\x7E\xB4\xD8\xC9\xD3\x8A\x17\x6C\x7D\x29\x44\xBE\x8A\xAA\xF5\x7E\x3A\x2E\x68\x31\x93\xB9\x6A\xDA\x9A\xE0\xDB\xE9\x2E\xA5\x84\xCD\x1C\x0A\xB8\x4A\x08\xF9\x9C\xF1\x61\x26\x98\x93\xB7\x7B\x66\xEC\x91\x5E\xDD\x51\x3F\xDB\x73\x0F\xAD\x04\x58\x09\xDD\x04\x02\x95\x0A\x3E\xD3\x76\xDF\xA6\x10\x1E\x80\x3D\xE8\xCD\xA4\x64\xD1\x33\xC7\x92\xC7\xE2\x4E\x44\xE3\x09\xC9\x4E\xC2\x5D\x87\x0E\x12\x9E\xBF\x0F\xC9\x05\x10\xDE\x7A\xA3\xB1\x3C\xF2\x3F\xA5\xAA\x27\x79\xAD\x31\x7D\x1F\xFD\xFC\x19\x69\xC5\xDD\xB9\x3F\x7C\xCD\xC6\xB4\xC2\x30\x1E\x7E\x6E\x92\xD7\x7F\x61\x76\x5A\x8F\xEB\x95\x4D\xBC\x11\x6E\x21\x7C\x59\x37\x99\xD0\x06\xBC\xF9\x06\x6D\x32\x16\xA5\xD9\x69\xA8\xE1\xDC\x3C\x80\x1E\x60\x51\xDC\xD7\x54\x21\x1E\xCA\x62\x77\x4F\xFA\xD8\x8F\xB3\x2B\x3A\x0D\x78\x72\xC9\x68\x41\x5A\x47\x4A\xC2\xA3\xEB\x1A\xD7\x0A\xAB\x3C\x32\x55\xC8\x0A\x11\x9C\xDF\x74\xD6\xF0\x40\x15\x1D\xC8\xB9\x8F\xB5\x36\xC5\xAF\xF8\x22\xB8\xCA\x1D\xF3\xD6\xB6\x19\x0F\x9F\x61\x65\x6A\xEA\x74\xC8\x7C\x8F\xC3\x4F\x5D\x65\x82\x1F\xD9\x0D\x89\xDA\x75\x72\xFB\xEF\xF1\x47\x67\x13\xB3\xC8\xD1\x19\x88\x27\x26\x9A\x99\x79\x7F\x1E\xE4\x2C\x3F\x7B\xEE\xF1\xDE\x4D\x8B\x96\x97\xC3\xD5\x3F\x7C\x1B\x23\xED\xA4\xB3\x1D\x16\x72\x43\x4B\x20\xE1\x59\x7E\xC2\xE8\xAD\x26\xBF\xA2\xF7",
 	["CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\xC3\x03\x9A\xEE\x50\x90\x6E\x28\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAA\xC3\x78\xF7\xDC\x98\xA3\xA7\x5A\x5E\x77\x18\xB2\xDD\x04\x64\x0F\x63\xFD\x9B\x96\x09\x80\xD5\xE8\xAA\xA5\xE2\x9C\x26\x94\x3A\xE8\x99\x73\x8C\x9D\xDF\xD7\xDF\x83\xF3\x78\x4F\x40\xE1\x7F\xD2\xA7\xD2\xE5\xCA\x13\x93\xE7\xED\xC6\x77\x5F\x36\xB5\x94\xAF\xE8\x38\x8E\xDB\x9B\xE5\x7C\xBB\xCC\x8D\xEB\x75\x73\xE1\x24\xCD\xE6\xA7\x2D\x19\x2E\xD8\xD6\x8A\x6B\x14\xEB\x08\x62\x0A\xD8\xDC\xB3\x00\x4D\xC3\x23\x7C\x5F\x43\x08\x23\x32\x12\xDC\xED\x0C\xAD\xC0\x7D\x0F\xA5\x7A\x42\xD9\x5A\x70\xD9\xBF\xA7\xD7\x01\x1C\xF6\x9B\xAB\x8E\xB7\x4A\x86\x78\xA0\x1E\x56\x31\xAE\xEF\x82\x0A\x80\x41\xF7\x1B\xC9\xAE\xAB\x32\x26\xD4\x2C\x6B\xED\x7D\x6B\xE4\xE2\x5E\x22\x0A\x45\xCB\x84\x31\x4D\xAC\xFE\xDB\xD1\x47\xBA\xF9\x60\x97\x39\xB1\x65\xC7\xDE\xFB\x99\xE4\x0A\x22\xB1\x2D\x4D\xE5\x48\x26\x69\xAB\xE2\xAA\xF3\xFB\xFC\x92\x29\x32\xE9\xB3\x3E\x4D\x1F\x27\xA1\xCD\x8E\xB9\x17\xFB\x25\x3E\xC9\x6E\xF3\x77\xDA\x0D\x12\xF6\x5D\xC7\xBB\x36\x10\xD5\x54\xD6\xF3\xE0\xE2\x47\x48\xE6\xDE\x14\xDA\x61\x52\xAF\x26\xB4\xF5\x71\x4F\xC9\xD7\xD2\x06\xDF\x63\xCA\xFF\x21\xE8\x59\x06\xE0\x08\xD5\x84\x15\x53\xF7\x43\xE5\x7C\xC5\xA0\x89\x98\x6B\x73\xC6\x68\xCE\x65\xDE\xBD\x7F\x05\xF7\xB1\xEE\xF6\x57\xA1\x60\x95\xC5\xCC\xEA\x93\x3A\xBE\x99\xAE\x9B\x02\xA3\xAD\xC9\x16\xB5\xCE\xDD\x5E\x99\x78\x7E\x1A\x39\x7E\xB2\xC0\x05\xA4\xC0\x82\xA5\xA3\x47\x9E\x8C\xEA\x5C\xB6\xBC\x67\xDB\xE6\x2A\x4D\xD2\x04\xDC\xA3\xAE\x45\xF7\xBC\x8B\x9C\x1C\xA7\xD6\xD5\x03\xDC\x08\xCB\x2E\x16\xCA\x5C\x40\x33\xE8\x67\xC3\x2E\xE7\xA6\x44\xEA\x11\x45\x1C\x35\x65\x2D\x1E\x45\x61\x24\x1B\x82\x2E\xA5\x9D\x33\x5D\x65\xF8\x41\xF9\x2E\xCB\x94\x3F\x1F\xA3\x0C\x31\x24\x44\xED\xC7\x5E\xAD\x50\xBA\xC6\x41\x9B\xAC\xF0\x17\x65\xC0\xF8\x5D\x6F\x5B\xA0\x0A\x34\x3C\xEE\xD7\xEA\x88\x9F\x98\xF9\xAF\x4E\x24\xFA\x97\xB2\x64\x76\xDA\xAB\xF4\xED\xE3\xC3\x60\xEF\xD5\xF9\x02\xC8\x2D\x9F\x83\xAF\x67\x69\x06\xA7\x31\x55\xD5\xCF\x4B\x6F\xFF\x04\x05\xC7\x58\xAC\x5F\x16\x1B\xE5\xD2\xA3\xEB\x31\xDB\x1F\x33\x15\x4D\xD0\xF2\xA5\x53\xF5\xCB\xE1\x3D\x4E\x68\x2D\xD8\x12\xDD\xAA\xF2\xE6\x4D\x9B\x49\xE5\xC5\x28\xA1\xBA\xB0\x5A\xC6\xA0\xB5\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x89\x0A\xB4\x38\x93\x1A\xE6\xAB\xEE\x9B\x91\x18\xF9\xF5\x3C\x3E\x35\xD0\xD3\x82\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x32\x8B\xF6\x9D\x4A\xC9\xBE\x14\xE5\x8C\xAC\x38\xCA\x3A\x09\xD4\x1B\xCE\x86\xB3\xDD\xEB\xD4\xBA\x28\xBE\x12\xAE\x45\x2C\x04\x74\xAC\x13\x51\xC5\x58\x18\x66\x4D\x82\xDA\xD5\xDC\x93\xC0\x27\xE1\xBE\x7C\x9F\x52\x9E\x12\x56\xF6\xD5\x9C\xA9\xF4\x75\x9C\xFA\x37\x12\x8F\x1C\x93\xEC\x57\xFE\x07\x0F\xAB\xD5\x12\xF7\x0F\xAE\x61\x5E\x56\x80\x49\xF5\xFC\x30\xF5\x9B\x4F\x1F\x41\x2F\x1C\x84\xD3\x89\xC7\xE2\xDA\x02\x76\xED\x09\xCF\x6C\xC1\xB8\x1C\x83\x1C\x16\xFA\x94\xCD\x7D\xA0\xC8\x18\xD2\xC8\x9D\x6E\xF5\xBD\x69\xD4\x6D\x3D\x35\xE8\x1E\xA2\x4F\x60\xD7\x07\x29\xFC\xB2\xA3\xA4\x9D\x6E\x15\x92\x56\x19\x4C\x0A\xB0\xE9\x7C\xD2\x19\x4D\x42\x46\xEC\xBD\xFD\xF6\x57\x5B\xDD\x98\x7E\xA4\x4D\xCC\x72\x03\x83\x58\x5D\xEF\x93\x3A\x41\x7A\x63\xAA\x7C\x3A\xA8\xF5\xAC\xA4\xD1\xDD\xA2\x2D\xB6\x2A\xFC\x9F\x01\x8E\xE2\x10\xB1\xC4\xCA\xE4\x67\xDB\x55\x25\x19\x3F\xFD\xE8\x36\x7E\xB3\xE1\xE1\x81\xAF\x11\x16\x8B\x50\x97\x60\x19\x82\x00\xC0\x6B\x4D\x73\xB8\xD1\x13\x07\x3E\xEA\xB6\x31\x4F\xF0\x42\x9A\x6D\xE2\x11\x74\xE5\x94\xAC\x8D\x84\x95\x3C\x21\xAF\xC5\xDA\x47\xC8\xDF\x39\x62\x62\xCB\x5B\x50\x0B\xD7\x81\x40\x05\x9C\x9B\xED\xBA\xB6\x8B\x1E\x04\x6F\x96\x20\x39\xED\xA4\x7D\x29\xDB\x48\xCE\x82\xDC\xD4\x02\x8D\x1D\x04\x31\x5A\xC7\x4B\xF0\x6C\x61\x52\xD7\xB4\x51\xC2\x81\x6C\xCD\xE1\xFB\xA7\xA1\xD2\x92\x76\xCF\xB1\x0F\x37\x58\xA4\xF2\x52\x71\x67\x3F\x0C\x88\x78\x80\x89\xC1\xC8\xB5\x1F\x92\x63\xBE\xA7\x7A\x8A\x56\x2C\x1A\xA8\xA6\x9C\xB5\x5D\xB3\x63\xD0\x13\x20\xA1\xEB\x91\x6C\xD0\x8D\x7D\xAF\xDF\x0B\xE4\x17\xB9\x86\x9E\x38\xB1\x94\x0C\x58\x8C\xE0\x55\xAA\x3B\x63\x6D\x9A\x89\x60\xB8\x64\x2A\x92\xC6\x37\xF4\x7E\x43\x43\xB7\x73\xE8\x01\xE7\x7F\x97\x0F\xD7\xF2\x7B\x19\xFD\x1A\xD7\x8F\xC9\xFA\x85\x6B\x7A\x9D\x9E\x89\xB6\xA6\x28\x99\x93\x88\x40\xF7\x3E\xCD\x51\xA3\xCA\xEA\xEF\x79\x47\x21\xB5\xFE\x32\xE2\xC7\xC3\x51\x6F\xBE\x80\x74\xF0\xA4\xC3\x3A\xF2\x4F\xE9\x5F\xDF\x19\x0A\xF2\x3B\x13\x43\xAC\x31\xA4\xB3\xE7\xEB\xFC\x18\xD6\x01\xA9\xF3\x2A\x8F\x36\x0E\xEB\xB4\xB1\xBC\xB7\x4C\xC9\x6B\xBF\xA1\xF3\xD9\xF4\xED\xE2\xF0\xE3\xED\x64\x9E\x3D\x2F\x96\x52\x4F\x80\x53\x8B",
 	["CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\x92\xB8\x88\xDB\xB0\x8A\xC1\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA2\xA3\xC4\x00\x09\xD6\x85\x5D\x2D\x6D\x14\xF6\xC2\xC3\x73\x9E\x35\xC2\x71\x55\x7E\x81\xFB\xAB\x46\x50\xE0\xC1\x7C\x49\x78\xE6\xAB\x79\x58\x3C\xDA\xFF\x7C\x1C\x9F\xD8\x97\x02\x78\x3E\x6B\x41\x04\xE9\x41\xBD\xBE\x03\x2C\x45\xF6\x2F\x64\xD4\xAB\x5D\xA3\x47\x3D\x64\x9B\xE9\x68\x9A\xC6\xCC\x1B\x3F\xBA\xBE\xB2\x8B\x34\x02\x2E\x98\x55\x19\xFC\x8C\x6F\xAA\x5F\xDA\x4C\xCE\x4D\x03\x21\xA3\xD8\xD2\x34\x93\x56\x96\xCB\x4C\x0C\x00\x16\x3C\x5F\x1A\xCD\xC8\xC7\x6C\xA6\xAD\xD3\x31\xA7\xBC\xE8\xE5\xE1\x66\xD6\xD2\xFB\x03\xB4\x41\x65\xC9\x10\xAE\x0E\x05\x63\xC6\x80\x6A\x69\x30\xFD\xD2\xEE\x90\xEF\x0D\x27\xDF\x9F\x95\x73\xF4\xE1\x25\xDA\x6C\x16\xDE\x41\x38\x34\xEA\x8B\xFC\xD1\xE8\x04\x14\x61\x2D\x41\x7E\xAC\xC7\x77\x4E\xCB\x51\x54\xFB\x5E\x92\x18\x1B\x04\x5A\x68\xC6\xC9\xC4\xFA\xB7\x13\xA0\x98\xB7\x11\x2B\xB7\xD6\x57\xCC\x7C\x9E\x17\xD1\xCB\x25\xFE\x86\x4E\x24\x2E\x56\x0C\x78\x4D\x9E\x01\x12\xA6\x2B\xA7\x01\x65\x6E\x7C\x62\x1D\x84\x84\xDF\xEA\xC0\x6B\xB5\xA5\x2A\x95\x83\xC3\x53\x11\x0C\x73\x1D\x0B\xB2\x46\x90\xD1\x42\x3A\xCE\x40\x6E\x95\xAD\xFF\xC6\x94\xAD\x6E\x97\x84\x8E\x7D\x6F\x9E\x8A\x80\x0D\x49\x6D\x73\xE2\x7B\x92\x1E\xC3\xF3\xC1\xF3\xEB\x2E\x05\x6F\xD9\x1B\xCF\x37\x76\x04\xC8\xB4\x5A\xE4\x17\xA7\xCB\xDD\x76\x1F\xD0\x19\x76\xE8\x2C\x05\xB3\xD6\x9C\x34\xD8\x96\xDC\x61\x87\x91\x05\xE4\x44\x08\x33\xC1\xDA\xB9\x08\x65\xD4\xAE\xB2\x36\x0D\xEB\xBA\x38\xBA\x0C\xE5\x9B\x9E\xEB\x8D\x66\xDD\x99\xCF\xD6\x89\x41\xF6\x04\x92\x8A\x29\x29\x6D\x6B\x3A\x1C\xE7\x75\x7D\x02\x71\x0E\xF3\xC0\xE7\xBD\xCB\x19\xDD\x9D\x60\xB2\xC2\x66\x60\xB6\xB1\x04\xEE\xC9\xE6\x86\xB9\x9A\x66\x40\xA8\xE7\x11\xED\x81\x45\x03\x8B\xF6\x67\x59\xE8\xC1\x06\x11\xBD\xDD\xCF\x80\x02\x4F\x65\x40\x78\x5C\x47\x50\xC8\x9B\xE6\x1F\x81\x7B\xE4\x44\xA8\x5B\x85\x9A\xE2\xDE\x5A\xD5\xC7\xF9\x3A\x44\x66\x4B\xE4\x32\x54\x7C\xE4\x6C\x9C\xB3\x0E\x3D\x17\xA2\xB2\x34\x12\xD6\x7E\xB2\xA8\x49\xBB\xD1\x7A\x28\x40\xBE\xA2\x16\x1F\xDF\xE4\x37\x1F\x11\x73\xFB\x90\x0A\x65\x43\xA2\x0D\x7C\xF8\x06\x01\x55\x33\x7D\xB0\x0D\xB8\xF4\xF5\xAE\xA5\x42\x57\x7C\x36\x11\x8C\x7B\x5E\xC4\x03\x9D\x8C\x79\x9D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\x99\xF8\xAF\xB0\x94\xF5\xE3\x20\xD6\x0A\xAD\xCE\x4E\x56\xA4\x2E\x6E\x42\xED\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x26\x06\x5E\x70\xE7\x65\x33\xC8\x82\x6E\xD9\x9C\x17\x3A\x1B\x7A\x66\xB2\x01\xF6\x78\x3B\x69\x5E\x2F\xEA\xFF\x4E\xF9\x28\xC3\x98\x2A\x61\x4C\xB4\x24\x12\x8A\x7D\x6D\x11\x14\xF7\x9C\xB5\xCA\xE6\xBC\x9E\x27\x8E\x4C\x19\xC8\xA9\xBD\x7A\xC0\xD7\x36\x0E\x6D\x85\x72\x6E\xA8\xC6\xA2\x6D\xF6\xFA\x73\x63\x7F\xBC\x6E\x79\x08\x1C\x9D\x8A\x9F\x1A\x8A\x53\xA6\xD8\xBB\xD9\x35\x55\xB1\x11\xC5\xA9\x03\xB3\x56\x3B\xB9\x84\x93\x22\x5E\x7E\xC1\xF6\x12\x52\x8B\xEA\x2C\x67\xBC\xFE\x36\x4C\xF5\xB8\xCF\xD1\xB3\x49\x92\x3B\xD3\x29\x0E\x99\x1B\x96\xF7\x61\xB8\x3B\xC4\x2B\xB6\x78\x6C\xB4\x23\x6F\xF0\xFD\xD3\xB2\x5E\x75\x1F\x99\x95\xA8\xAC\xF6\xDA\xE1\xC5\x31\x7B\xFB\xD1\x46\xB3\xD2\xBC\x67\xB4\x62\x54\xBA\x09\xF7\x63\xB0\x93\xA2\x9A\xF9\xE9\x52\x2E\x8B\x60\x12\xAB\xFC\xF5\x60\x56\xEF\x10\x5C\x8B\xC4\x1A\x42\xDC\x83\x5B\x64\x0E\xCB\xB5\xBC\xD6\x4F\xC1\x7C\x3C\x6E\x8D\x13\x6D\xFB\x7B\xEB\x30\xD0\xDC\x4D\xAF\xC5\xD5\xB6\xA5\x4C\x5B\x71\xC9\xE8\x31\xBE\xE8\x38\x06\x48\xA1\x1A\xE2\xEA\xD2\xDE\x12\x39\x58\x1A\xFF\x80\x0E\x82\x75\xE6\xB7\xC9\x07\x6C\x0E\xEF\xFF\x38\xF1\x98\x71\xC4\xB7\x7F\x0E\x15\xD0\x25\x69\xBD\x22\x9D\x2B\xED\x05\xF6\x46\x47\xAC\xED\xC0\xF0\xD4\x3B\xE2\xEC\xEE\x96\x5B\x90\x13\x4E\x1E\x56\x3A\xEB\xB0\xEF\x96\xBB\x96\x23\x11\xBA\xF2\x43\x86\x74\x64\x95\xC8\x28\x75\xDF\x1D\x35\xBA\xD2\x37\x83\x38\x53\x38\x36\x3B\xCF\x6C\xE9\xF9\x6B\x0E\xD0\xFB\x04\xE8\x4F\x77\xD7\x65\x01\x78\x86\x0C\x7A\x3E\x21\x62\xF1\x7F\x63\x71\x0C\xC9\x9F\x44\xDB\xA8\x27\xA2\x75\xBE\x6E\x81\x3E\xD7\xC0\xEB\x1B\x98\x0F\x70\x5C\x34\xB2\x8A\xCC\xC0\x85\x18\xEB\x6E\x7A\xB3\xF7\x5A\xA1\x07\xBF\xA9\x42\x92\xF3\x60\x22\x97\xE4\x14\xA1\x07\x9B\x4E\x76\xC0\x8E\x7D\xFD\xA4\x25\xC7\x47\xED\xFF\x1F\x73\xAC\xCC\xC3\xA5\xE9\x6F\x0A\x8E\x9B\x65\xC2\x50\x85\xB5\xA3\xA0\x53\x12\xCC\x55\x87\x61\xF3\x81\xAE\x10\x46\x61\xBD\x44\x21\xB8\xC2\x3D\x74\xCF\x7E\x24\x35\xFA\x1C\x07\x0E\x9B\x3D\x22\xCA\xEF\x31\x2F\x8C\xAC\x12\xBD\xEF\x40\x28\xFC\x29\x67\x9F\xB2\x13\x4F\x66\x24\xC4\x53\x19\xE9\x1E\x29\x15\xEF\xE6\x6D\xB0\x7F\x2D\x67\xFD\xF3\x6C\x1B\x75\x46\xA3\xE5\x4A\x17\xE9\xA4\xD7\x0B",
+	["C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1"] = "\x30\x82\x07\xD3\x30\x82\x05\xBB\xA0\x03\x02\x01\x02\x02\x08\x5E\xC3\xB7\xA6\x43\x7F\xA4\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x31\x31\x30\x35\x30\x35\x30\x39\x33\x37\x33\x37\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x39\x33\x37\x33\x37\x5A\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9B\xA9\xAB\xBF\x61\x4A\x97\xAF\x2F\x97\x66\x9A\x74\x5F\xD0\xD9\x96\xFD\xCF\xE2\xE4\x66\xEF\x1F\x1F\x47\x33\xC2\x44\xA3\xDF\x9A\xDE\x1F\xB5\x54\xDD\x15\x7C\x69\x35\x11\x6F\xBB\xC8\x0C\x8E\x6A\x18\x1E\xD8\x8F\xD9\x16\xBC\x10\x48\x36\x5C\xF0\x63\xB3\x90\x5A\x5C\x24\x37\xD7\xA3\xD6\xCB\x09\x71\xB9\xF1\x01\x72\x84\xB0\x7D\xDB\x4D\x80\xCD\xFC\xD3\x6F\xC9\xF8\xDA\xB6\x0E\x82\xD2\x45\x85\xA8\x1B\x68\xA8\x3D\xE8\xF4\x44\x6C\xBD\xA1\xC2\xCB\x03\xBE\x8C\x3E\x13\x00\x84\xDF\x4A\x48\xC0\xE3\x22\x0A\xE8\xE9\x37\xA7\x18\x4C\xB1\x09\x0D\x23\x56\x7F\x04\x4D\xD9\x17\x84\x18\xA5\xC8\xDA\x40\x94\x73\xEB\xCE\x0E\x57\x3C\x03\x81\x3A\x9D\x0A\xA1\x57\x43\x69\xAC\x57\x6D\x79\x90\x78\xE5\xB5\xB4\x3B\xD8\xBC\x4C\x8D\x28\xA1\xA7\xA3\xA7\xBA\x02\x4E\x25\xD1\x2A\xAE\xED\xAE\x03\x22\xB8\x6B\x20\x0F\x30\x28\x54\x95\x7F\xE0\xEE\xCE\x0A\x66\x9D\xD1\x40\x2D\x6E\x22\xAF\x9D\x1A\xC1\x05\x19\xD2\x6F\xC0\xF2\x9F\xF8\x7B\xB3\x02\x42\xFB\x50\xA9\x1D\x2D\x93\x0F\x23\xAB\xC6\xC1\x0F\x92\xFF\xD0\xA2\x15\xF5\x53\x09\x71\x1C\xFF\x45\x13\x84\xE6\x26\x5E\xF8\xE0\x88\x1C\x0A\xFC\x16\xB6\xA8\x73\x06\xB8\xF0\x63\x84\x02\xA0\xC6\x5A\xEC\xE7\x74\xDF\x70\xAE\xA3\x83\x25\xEA\xD6\xC7\x97\x87\x93\xA7\xC6\x8A\x8A\x33\x97\x60\x37\x10\x3E\x97\x3E\x6E\x29\x15\xD6\xA1\x0F\xD1\x88\x2C\x12\x9F\x6F\xAA\xA4\xC6\x42\xEB\x41\xA2\xE3\x95\x43\xD3\x01\x85\x6D\x8E\xBB\x3B\xF3\x23\x36\xC7\xFE\x3B\xE0\xA1\x25\x07\x48\xAB\xC9\x89\x74\xFF\x08\x8F\x80\xBF\xC0\x96\x65\xF3\xEE\xEC\x4B\x68\xBD\x9D\x88\xC3\x31\xB3\x40\xF1\xE8\xCF\xF6\x38\xBB\x9C\xE4\xD1\x7F\xD4\xE5\x58\x9B\x7C\xFA\xD4\xF3\x0E\x9B\x75\x91\xE4\xBA\x52\x2E\x19\x7E\xD1\xF5\xCD\x5A\x19\xFC\xBA\x06\xF6\xFB\x52\xA8\x4B\x99\x04\xDD\xF8\xF9\xB4\x8B\x50\xA3\x4E\x62\x89\xF0\x87\x24\xFA\x83\x42\xC1\x87\xFA\xD5\x2D\x29\x2A\x5A\x71\x7A\x64\x6A\xD7\x27\x60\x63\x0D\xDB\xCE\x49\xF5\x8D\x1F\x90\x89\x32\x17\xF8\x73\x43\xB8\xD2\x5A\x93\x86\x61\xD6\xE1\x75\x0A\xEA\x79\x66\x76\x88\x4F\x71\xEB\x04\x25\xD6\x0A\x5A\x7A\x93\xE5\xB9\x4B\x17\x40\x0F\xB1\xB6\xB9\xF5\xDE\x4F\xDC\xE0\xB3\xAC\x3B\x11\x70\x60\x84\x4A\x43\x6E\x99\x20\xC0\x29\x71\x0A\xC0\x65\x02\x03\x01\x00\x01\xA3\x82\x02\xCB\x30\x82\x02\xC7\x30\x7D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x71\x30\x6F\x30\x4C\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x2E\x63\x72\x74\x30\x1F\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x13\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x61\x63\x63\x76\x2E\x65\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x04\x55\x1D\x20\x00\x30\x82\x01\x58\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x41\x00\x43\x00\x43\x00\x56\x00\x20\x00\x28\x00\x41\x00\x67\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x20\x00\x64\x00\x65\x00\x20\x00\x54\x00\x65\x00\x63\x00\x6E\x00\x6F\x00\x6C\x00\x6F\x00\x67\x00\xED\x00\x61\x00\x20\x00\x79\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x45\x00\x6C\x00\x65\x00\x63\x00\x74\x00\x72\x00\xF3\x00\x6E\x00\x69\x00\x63\x00\x61\x00\x2C\x00\x20\x00\x43\x00\x49\x00\x46\x00\x20\x00\x51\x00\x34\x00\x36\x00\x30\x00\x31\x00\x31\x00\x35\x00\x36\x00\x45\x00\x29\x00\x2E\x00\x20\x00\x43\x00\x50\x00\x53\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x61\x00\x63\x00\x63\x00\x76\x00\x2E\x00\x65\x00\x73\x30\x30\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x6C\x65\x67\x69\x73\x6C\x61\x63\x69\x6F\x6E\x5F\x63\x2E\x68\x74\x6D\x30\x55\x06\x03\x55\x1D\x1F\x04\x4E\x30\x4C\x30\x4A\xA0\x48\xA0\x46\x86\x44\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x5F\x64\x65\x72\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x17\x06\x03\x55\x1D\x11\x04\x10\x30\x0E\x81\x0C\x61\x63\x63\x76\x40\x61\x63\x63\x76\x2E\x65\x73\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x97\x31\x02\x9F\xE7\xFD\x43\x67\x48\x44\x14\xE4\x29\x87\xED\x4C\x28\x66\xD0\x8F\x35\xDA\x4D\x61\xB7\x4A\x97\x4D\xB5\xDB\x90\xE0\x05\x2E\x0E\xC6\x79\xD0\xF2\x97\x69\x0F\xBD\x04\x47\xD9\xBE\xDB\xB5\x29\xDA\x9B\xD9\xAE\xA9\x99\xD5\xD3\x3C\x30\x93\xF5\x8D\xA1\xA8\xFC\x06\x8D\x44\xF4\xCA\x16\x95\x7C\x33\xDC\x62\x8B\xA8\x37\xF8\x27\xD8\x09\x2D\x1B\xEF\xC8\x14\x27\x20\xA9\x64\x44\xFF\x2E\xD6\x75\xAA\x6C\x4D\x60\x40\x19\x49\x43\x54\x63\xDA\xE2\xCC\xBA\x66\xE5\x4F\x44\x7A\x5B\xD9\x6A\x81\x2B\x40\xD5\x7F\xF9\x01\x27\x58\x2C\xC8\xED\x48\x91\x7C\x3F\xA6\x00\xCF\xC4\x29\x73\x11\x36\xDE\x86\x19\x3E\x9D\xEE\x19\x8A\x1B\xD5\xB0\xED\x8E\x3D\x9C\x2A\xC0\x0D\xD8\x3D\x66\xE3\x3C\x0D\xBD\xD5\x94\x5C\xE2\xE2\xA7\x35\x1B\x04\x00\xF6\x3F\x5A\x8D\xEA\x43\xBD\x5F\x89\x1D\xA9\xC1\xB0\xCC\x99\xE2\x4D\x00\x0A\xDA\xC9\x27\x5B\xE7\x13\x90\x5C\xE4\xF5\x33\xA2\x55\x6D\xDC\xE0\x09\x4D\x2F\xB1\x26\x5B\x27\x75\x00\x09\xC4\x62\x77\x29\x08\x5F\x9E\x59\xAC\xB6\x7E\xAD\x9F\x54\x30\x22\x03\xC1\x1E\x71\x64\xFE\xF9\x38\x0A\x96\x18\xDD\x02\x14\xAC\x23\xCB\x06\x1C\x1E\xA4\x7D\x8D\x0D\xDE\x27\x41\xE8\xAD\xDA\x15\xB7\xB0\x23\xDD\x2B\xA8\xD3\xDA\x25\x87\xED\xE8\x55\x44\x4D\x88\xF4\x36\x7E\x84\x9A\x78\xAC\xF7\x0E\x56\x49\x0E\xD6\x33\x25\xD6\x84\x50\x42\x6C\x20\x12\x1D\x2A\xD5\xBE\xBC\xF2\x70\x81\xA4\x70\x60\xBE\x05\xB5\x9B\x9E\x04\x44\xBE\x61\x23\xAC\xE9\xA5\x24\x8C\x11\x80\x94\x5A\xA2\xA2\xB9\x49\xD2\xC1\xDC\xD1\xA7\xED\x31\x11\x2C\x9E\x19\xA6\xEE\xE1\x55\xE1\xC0\xEA\xCF\x0D\x84\xE4\x17\xB7\xA2\x7C\xA5\xDE\x55\x25\x06\xEE\xCC\xC0\x87\x5C\x40\xDA\xCC\x95\x3F\x55\xE0\x35\xC7\xB8\x84\xBE\xB4\x5D\xCD\x7A\x83\x01\x72\xEE\x87\xE6\x5F\x1D\xAE\xB5\x85\xC6\x26\xDF\xE6\xC1\x9A\xE9\x1E\x02\x47\x9F\x2A\xA8\x6D\xA9\x5B\xCF\xEC\x45\x77\x7F\x98\x27\x9A\x32\x5D\x2A\xE3\x84\xEE\xC5\x98\x66\x2F\x96\x20\x1D\xDD\xD8\xC3\x27\xD7\xB0\xF9\xFE\xD9\x7D\xCD\xD0\x9F\x8F\x0B\x14\x58\x51\x9F\x2F\x8B\xC3\x38\x2D\xDE\xE8\x8F\xD6\x8D\x87\xA4\xF5\x56\x43\x16\x99\x2C\xF4\xA4\x56\xB4\x34\xB8\x61\x37\xC9\xC2\x58\x80\x1B\xA0\x97\xA1\xFC\x59\x8D\xE9\x11\xF6\xD1\x0F\x4B\x55\x34\x46\x2A\x8B\x86\x3B",
+	["CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x05\x41\x30\x82\x03\x29\xA0\x03\x02\x01\x02\x02\x02\x0C\xBE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x32\x30\x36\x32\x37\x30\x36\x32\x38\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB0\x05\xDB\xC8\xEB\x8C\xC4\x6E\x8A\x21\xEF\x8E\x4D\x9C\x71\x0A\x1F\x52\x70\xED\x6D\x82\x9C\x97\xC5\xD7\x4C\x4E\x45\x49\xCB\x40\x42\xB5\x12\x34\x6C\x19\xC2\x74\xA4\x31\x5F\x85\x02\x97\xEC\x43\x33\x0A\x53\xD2\x9C\x8C\x8E\xB7\xB8\x79\xDB\x2B\xD5\x6A\xF2\x8E\x66\xC4\xEE\x2B\x01\x07\x92\xD4\xB3\xD0\x02\xDF\x50\xF6\x55\xAF\x66\x0E\xCB\xE0\x47\x60\x2F\x2B\x32\x39\x35\x52\x3A\x28\x83\xF8\x7B\x16\xC6\x18\xB8\x62\xD6\x47\x25\x91\xCE\xF0\x19\x12\x4D\xAD\x63\xF5\xD3\x3F\x75\x5F\x29\xF0\xA1\x30\x1C\x2A\xA0\x98\xA6\x15\xBD\xEE\xFD\x19\x36\xF0\xE2\x91\x43\x8F\xFA\xCA\xD6\x10\x27\x49\x4C\xEF\xDD\xC1\xF1\x85\x70\x9B\xCA\xEA\xA8\x5A\x43\xFC\x6D\x86\x6F\x73\xE9\x37\x45\xA9\xF0\x36\xC7\xCC\x88\x75\x1E\xBB\x6C\x06\xFF\x9B\x6B\x3E\x17\xEC\x61\xAA\x71\x7C\xC6\x1D\xA2\xF7\x49\xE9\x15\xB5\x3C\xD6\xA1\x61\xF5\x11\xF7\x05\x6F\x1D\xFD\x11\xBE\xD0\x30\x07\xC2\x29\xB0\x09\x4E\x26\xDC\xE3\xA2\xA8\x91\x6A\x1F\xC2\x91\x45\x88\x5C\xE5\x98\xB8\x71\xA5\x15\x19\xC9\x7C\x75\x11\xCC\x70\x74\x4F\x2D\x9B\x1D\x91\x44\xFD\x56\x28\xA0\xFE\xBB\x86\x6A\xC8\xFA\x5C\x0B\x58\xDC\xC6\x4B\x76\xC8\xAB\x22\xD9\x73\x0F\xA5\xF4\x5A\x02\x89\x3F\x4F\x9E\x22\x82\xEE\xA2\x74\x53\x2A\x3D\x53\x27\x69\x1D\x6C\x8E\x32\x2C\x64\x00\x26\x63\x61\x36\x4E\xA3\x46\xB7\x3F\x7D\xB3\x2D\xAC\x6D\x90\xA2\x95\xA2\xCE\xCF\xDA\x82\xE7\x07\x34\x19\x96\xE9\xB8\x21\xAA\x29\x7E\xA6\x38\xBE\x8E\x29\x4A\x21\x66\x79\x1F\xB3\xC3\xB5\x09\x67\xDE\xD6\xD4\x07\x46\xF3\x2A\xDA\xE6\x22\x37\x60\xCB\x81\xB6\x0F\xA0\x0F\xE9\xC8\x95\x7F\xBF\x55\x91\x05\x7A\xCF\x3D\x15\xC0\x6F\xDE\x09\x94\x01\x83\xD7\x34\x1B\xCC\x40\xA5\xF0\xB8\x9B\x67\xD5\x98\x91\x3B\xA7\x84\x78\x95\x26\xA4\x5A\x08\xF8\x2B\x74\xB4\x00\x04\x3C\xDF\xB8\x14\x8E\xE8\xDF\xA9\x8D\x6C\x67\x92\x33\x1D\xC0\xB7\xD2\xEC\x92\xC8\xBE\x09\xBF\x2C\x29\x05\x6F\x02\x6B\x9E\xEF\xBC\xBF\x2A\xBC\x5B\xC0\x50\x8F\x41\x70\x71\x87\xB2\x4D\xB7\x04\xA9\x84\xA3\x32\xAF\xAE\xEE\x6B\x17\x8B\xB2\xB1\xFE\x6C\xE1\x90\x8C\x88\xA8\x97\x48\xCE\xC8\x4D\xCB\xF3\x06\xCF\x5F\x6A\x0A\x42\xB1\x1E\x1E\x77\x2F\x8E\xA0\xE6\x92\x0E\x06\xFC\x05\x22\xD2\x26\xE1\x31\x51\x7D\x32\xDC\x0F\x02\x03\x01\x00\x01\xA3\x23\x30\x21\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x5F\x34\x81\x76\xEF\x96\x1D\xD5\xE5\xB5\xD9\x02\x63\x84\x16\xC1\xAE\xA0\x70\x51\xA7\xF7\x4C\x47\x35\xC8\x0B\xD7\x28\x3D\x89\x71\xD9\xAA\x33\x41\xEA\x14\x1B\x6C\x21\x00\xC0\x6C\x42\x19\x7E\x9F\x69\x5B\x20\x42\xDF\xA2\xD2\xDA\xC4\x7C\x97\x4B\x8D\xB0\xE8\xAC\xC8\xEE\xA5\x69\x04\x99\x0A\x92\xA6\xAB\x27\x2E\x1A\x4D\x81\xBF\x84\xD4\x70\x1E\xAD\x47\xFE\xFD\x4A\x9D\x33\xE0\xF2\xB9\xC4\x45\x08\x21\x0A\xDA\x69\x69\x73\x72\x0D\xBE\x34\xFE\x94\x8B\xAD\xC3\x1E\x35\xD7\xA2\x83\xEF\xE5\x38\xC7\xA5\x85\x1F\xAB\xCF\x34\xEC\x3F\x28\xFE\x0C\xF1\x57\x86\x4E\xC9\x55\xF7\x1C\xD4\xD8\xA5\x7D\x06\x7A\x6F\xD5\xDF\x10\xDF\x81\x4E\x21\x65\xB1\xB6\xE1\x17\x79\x95\x45\x06\xCE\x5F\xCC\xDC\x46\x89\x63\x68\x44\x8D\x93\xF4\x64\x70\xA0\x3D\x9D\x28\x05\xC3\x39\x70\xB8\x62\x7B\x20\xFD\xE4\xDB\xE9\x08\xA1\xB8\x9E\x3D\x09\xC7\x4F\xFB\x2C\xF8\x93\x76\x41\xDE\x52\xE0\xE1\x57\xD2\x9D\x03\xBC\x77\x9E\xFE\x9E\x29\x5E\xF7\xC1\x51\x60\x1F\xDE\xDA\x0B\xB2\x2D\x75\xB7\x43\x48\x93\xE7\xF6\x79\xC6\x84\x5D\x80\x59\x60\x94\xFC\x78\x98\x8F\x3C\x93\x51\xED\x40\x90\x07\xDF\x64\x63\x24\xCB\x4E\x71\x05\xA1\xD7\x94\x1A\x88\x32\xF1\x22\x74\x22\xAE\xA5\xA6\xD8\x12\x69\x4C\x60\xA3\x02\xEE\x2B\xEC\xD4\x63\x92\x0B\x5E\xBE\x2F\x76\x6B\xA3\xB6\x26\xBC\x8F\x03\xD8\x0A\xF2\x4C\x64\x46\xBD\x39\x62\xE5\x96\xEB\x34\x63\x11\x28\xCC\x95\xF1\xAD\xEF\xEF\xDC\x80\x58\x48\xE9\x4B\xB8\xEA\x65\xAC\xE9\xFC\x80\xB5\xB5\xC8\x45\xF9\xAC\xC1\x9F\xD9\xB9\xEA\x62\x88\x8E\xC4\xF1\x4B\x83\x12\xAD\xE6\x8B\x84\xD6\x9E\xC2\xEB\x83\x18\x9F\x6A\xBB\x1B\x24\x60\x33\x70\xCC\xEC\xF7\x32\xF3\x5C\xD9\x79\x7D\xEF\x9E\xA4\xFE\xC9\x23\xC3\x24\xEE\x15\x92\xB1\x3D\x91\x4F\x26\x86\xBD\x66\x73\x24\x13\xEA\xA4\xAE\x63\xC1\xAD\x7D\x84\x03\x3C\x10\x78\x86\x1B\x79\xE3\xC4\xF3\xF2\x04\x95\x20\xAE\x23\x82\xC4\xB3\x3A\x00\x62\xBF\xE6\x36\x24\xE1\x57\xBA\xC7\x1E\x90\x75\xD5\x5F\x3F\x95\x61\x2B\xC1\x3B\xCD\xE5\xB3\x68\x61\xD0\x46\x26\xA9\x21\x52\x69\x2D\xEB\x2E\xC7\xEB\x77\xCE\xA6\x3A\xB5\x03\x33\x4F\x76\xD1\xE7\x5C\x54\x01\x5D\xCB\x78\xF4\xC9\x0C\xBF\xCF\x12\x8E\x17\x2D\x23\x68\x94\xE7\xAB\xFE\xA9\xB2\x2B\x06\xD0\x04\xCD",
+	["CN=TeliaSonera Root CA v1,O=TeliaSonera"] = "\x30\x82\x05\x38\x30\x82\x03\x20\xA0\x03\x02\x01\x02\x02\x11\x00\x95\xBE\x16\xA0\xF7\x2E\x46\xF1\x7B\x39\x82\x72\xFA\x8B\xCD\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x37\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x54\x65\x6C\x69\x61\x53\x6F\x6E\x65\x72\x61\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x65\x6C\x69\x61\x53\x6F\x6E\x65\x72\x61\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x76\x31\x30\x1E\x17\x0D\x30\x37\x31\x30\x31\x38\x31\x32\x30\x30\x35\x30\x5A\x17\x0D\x33\x32\x31\x30\x31\x38\x31\x32\x30\x30\x35\x30\x5A\x30\x37\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x54\x65\x6C\x69\x61\x53\x6F\x6E\x65\x72\x61\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x65\x6C\x69\x61\x53\x6F\x6E\x65\x72\x61\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x76\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC2\xBE\xEB\x27\xF0\x21\xA3\xF3\x69\x26\x55\x7E\x9D\xC5\x55\x16\x91\x5C\xFD\xEF\x21\xBF\x53\x80\x7A\x2D\xD2\x91\x8C\x63\x31\xF0\xEC\x24\xF0\xC3\xA5\xD2\x72\x7C\x10\x6D\xF4\x37\xB7\xE5\xE6\x7C\x79\xEA\x8C\xB5\x82\x8B\xAE\x48\xB6\xAC\x00\xDC\x65\x75\xEC\x2A\x4D\x5F\xC1\x87\xF5\x20\x65\x2B\x81\xA8\x47\x3E\x89\x23\x95\x30\x16\x90\x7F\xE8\x57\x07\x48\xE7\x19\xAE\xBF\x45\x67\xB1\x37\x1B\x06\x2A\xFE\xDE\xF9\xAC\x7D\x83\xFB\x5E\xBA\xE4\x8F\x97\x67\xBE\x4B\x8E\x8D\x64\x07\x57\x38\x55\x69\x34\x36\x3D\x13\x48\xEF\x4F\xE2\xD3\x66\x1E\xA4\xCF\x1A\xB7\x5E\x36\x33\xD4\xB4\x06\xBD\x18\x01\xFD\x77\x84\x50\x00\x45\xF5\x8C\x5D\xE8\x23\xBC\x7E\xFE\x35\xE1\xED\x50\x7B\xA9\x30\x8D\x19\xD3\x09\x8E\x68\x67\x5D\xBF\x3C\x97\x18\x53\xBB\x29\x62\xC5\xCA\x5E\x72\xC1\xC7\x96\xD4\xDB\x2D\xA0\xB4\x1F\x69\x03\xEC\xEA\xE2\x50\xF1\x0C\x3C\xF0\xAC\xF3\x53\x2D\xF0\x1C\xF5\xED\x6C\x39\x39\x73\x80\x16\xC8\x52\xB0\x23\xCD\xE0\x3E\xDC\xDD\x3C\x47\xA0\xBB\x35\x8A\xE2\x98\x68\x8B\xBE\xE5\xBF\x72\xEE\xD2\xFA\xA5\xED\x12\xED\xFC\x98\x18\xA9\x26\x76\xDC\x28\x4B\x10\x20\x1C\xD3\x7F\x16\x77\x2D\xED\x6F\x80\xF7\x49\xBB\x53\x05\xBB\x5D\x68\xC7\xD4\xC8\x75\x16\x3F\x89\x5A\x8B\xF7\x17\x47\xD4\x4C\xF1\xD2\x89\x79\x3E\x4D\x3D\x98\xA8\x61\xDE\x3A\x1E\xD2\xF8\x5E\x03\xE0\xC1\xC9\x1C\x8C\xD3\x8D\x4D\xD3\x95\x36\xB3\x37\x5F\x63\x63\x9B\x33\x14\xF0\x2D\x26\x6B\x53\x7C\x89\x8C\x32\xC2\x6E\xEC\x3D\x21\x00\x39\xC9\xA1\x68\xE2\x50\x83\x2E\xB0\x3A\x2B\xF3\x36\xA0\xAC\x2F\xE4\x6F\x61\xC2\x51\x09\x39\x3E\x8B\x53\xB9\xBB\x67\xDA\xDC\x53\xB9\x76\x59\x36\x9D\x43\xE5\x20\xE0\x3D\x32\x60\x85\x22\x51\xB7\xC7\x33\xBB\xDD\x15\x2F\xA4\x78\xA6\x07\x7B\x81\x46\x36\x04\x86\xDD\x79\x35\xC7\x95\x2C\x3B\xB0\xA3\x17\x35\xE5\x73\x1F\xB4\x5C\x59\xEF\xDA\xEA\x10\x65\x7B\x7A\xD0\x7F\x9F\xB3\xB4\x2A\x37\x3B\x70\x8B\x9B\x5B\xB9\x2B\xB7\xEC\xB2\x51\x12\x97\x53\x29\x5A\xD4\xF0\x12\x10\xDC\x4F\x02\xBB\x12\x92\x2F\x62\xD4\x3F\x69\x43\x7C\x0D\xD6\xFC\x58\x75\x01\x88\x9D\x58\x16\x4B\xDE\xBA\x90\xFF\x47\x01\x89\x06\x6A\xF6\x5F\xB2\x90\x6A\xB3\x02\xA6\x02\x88\xBF\xB3\x47\x7E\x2A\xD9\xD5\xFA\x68\x78\x35\x4D\x02\x03\x01\x00\x01\xA3\x3F\x30\x3D\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF0\x8F\x59\x38\x00\xB3\xF5\x8F\x9A\x96\x0C\xD5\xEB\xFA\x7B\xAA\x17\xE8\x13\x12\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xBE\xE4\x5C\x62\x4E\x24\xF4\x0C\x08\xFF\xF0\xD3\x0C\x68\xE4\x93\x49\x22\x3F\x44\x27\x6F\xBB\x6D\xDE\x83\x66\xCE\xA8\xCC\x0D\xFC\xF5\x9A\x06\xE5\x77\x14\x91\xEB\x9D\x41\x7B\x99\x2A\x84\xE5\xFF\xFC\x21\xC1\x5D\xF0\xE4\x1F\x57\xB7\x75\xA9\xA1\x5F\x02\x26\xFF\xD7\xC7\xF7\x4E\xDE\x4F\xF8\xF7\x1C\x46\xC0\x7A\x4F\x40\x2C\x22\x35\xF0\x19\xB1\xD0\x6B\x67\x2C\xB0\xA8\xE0\xC0\x40\x37\x35\xF6\x84\x5C\x5C\xE3\xAF\x42\x78\xFE\xA7\xC9\x0D\x50\xEA\x0D\x84\x76\xF6\x51\xEF\x83\x53\xC6\x7A\xFF\x0E\x56\x49\x2E\x8F\x7A\xD6\x0C\xE6\x27\x54\xE3\x4D\x0A\x60\x72\x62\xCD\x91\x07\xD6\xA5\xBF\xC8\x99\x6B\xED\xC4\x19\xE6\xAB\x4C\x11\x38\xC5\x6F\x31\xE2\x6E\x49\xC8\x3F\x76\x80\x26\x03\x26\x29\xE0\x36\xF6\xF6\x20\x53\xE3\x17\x70\x34\x17\x9D\x63\x68\x1E\x6B\xEC\xC3\x4D\x86\xB8\x13\x30\x2F\x5D\x46\x0D\x47\x43\xD5\x1B\xAA\x59\x0E\xB9\x5C\x8D\x06\x48\xAD\x74\x87\x5F\xC7\xFC\x31\x54\x41\x13\xE2\xC7\x21\x0E\x9E\xE0\x1E\x0D\xE1\xC0\x7B\x43\x85\x90\xC5\x8A\x58\xC6\x65\x0A\x78\x57\xF2\xC6\x23\x0F\x01\xD9\x20\x4B\xDE\x0F\xFB\x92\x85\x75\x2A\x5C\x73\x8D\x6D\x7B\x25\x91\xCA\xEE\x45\xAE\x06\x4B\x00\xCC\xD3\xB1\x59\x50\xDA\x3A\x88\x3B\x29\x43\x46\x5E\x97\x2B\x54\xCE\x53\x6F\x8D\x4A\xE7\x96\xFA\xBF\x71\x0E\x42\x8B\x7C\xFD\x28\xA0\xD0\x48\xCA\xDA\xC4\x81\x4C\xBB\xA2\x73\x93\x26\xC8\xEB\x0C\xD6\x26\x88\xB6\xC0\x24\xCF\xBB\xBD\x5B\xEB\x75\x7D\xE9\x08\x8E\x86\x33\x2C\x79\x77\x09\x69\xA5\x89\xFC\xB3\x70\x90\x87\x76\x8F\xD3\x22\xBB\x42\xCE\xBD\x73\x0B\x20\x26\x2A\xD0\x9B\x3D\x70\x1E\x24\x6C\xCD\x87\x76\xA9\x17\x96\xB7\xCF\x0D\x92\xFB\x8E\x18\xA9\x98\x49\xD1\x9E\xFE\x60\x44\x72\x21\xB9\x19\xED\xC2\xF5\x31\xF1\x39\x48\x88\x90\x24\x75\x54\x16\xAD\xCE\xF4\xF8\x69\x14\x64\x39\xFB\xA3\xB8\xBA\x70\x40\xC7\x27\x1C\xBF\xC4\x56\x53\xFA\x63\x65\xD0\xF3\x1C\x0E\x16\xF5\x6B\x86\x58\x4D\x18\xD4\xE4\x0D\x8E\xA5\x9D\x5B\x91\xDC\x76\x24\x50\x3F\xC6\x2A\xFB\xD9\xB7\x9C\xB5\xD6\xE6\xD0\xD9\xE8\x19\x8B\x15\x71\x48\xAD\xB7\xEA\xD8\x59\x88\xD4\x90\xBF\x16\xB3\xD9\xE9\xAC\x59\x61\x54\xC8\x1C\xBA\xCA\xC1\xCA\xE1\xB9\x20\x4C\x8F\x3A\x93\x89\xA5\xA0\xCC\xBF\xD3\xF6\x75\xA4\x75\x96\x6D\x56",
+	["CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tu\C4\9Fra EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E.,L=Ankara,C=TR"] = "\x30\x82\x06\x4B\x30\x82\x04\x33\xA0\x03\x02\x01\x02\x02\x08\x6A\x68\x3E\x9C\x51\x9B\xCB\x53\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xB2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x40\x30\x3E\x06\x03\x55\x04\x0A\x0C\x37\x45\x2D\x54\x75\xC4\x9F\x72\x61\x20\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x0C\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x2D\x54\x75\x67\x72\x61\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x33\x30\x33\x30\x35\x31\x32\x30\x39\x34\x38\x5A\x17\x0D\x32\x33\x30\x33\x30\x33\x31\x32\x30\x39\x34\x38\x5A\x30\x81\xB2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x40\x30\x3E\x06\x03\x55\x04\x0A\x0C\x37\x45\x2D\x54\x75\xC4\x9F\x72\x61\x20\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x0C\x1D\x45\x2D\x54\x75\x67\x72\x61\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x2D\x54\x75\x67\x72\x61\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE2\xF5\x3F\x93\x05\x51\x1E\x85\x62\x54\x5E\x7A\x0B\xF5\x18\x07\x83\xAE\x7E\xAF\x7C\xF7\xD4\x8A\x6B\xA5\x63\x43\x39\xB9\x4B\xF7\xC3\xC6\x64\x89\x3D\x94\x2E\x54\x80\x52\x39\x39\x07\x4B\x4B\xDD\x85\x07\x76\x87\xCC\xBF\x2F\x95\x4C\xCC\x7D\xA7\x3D\xBC\x47\x0F\x98\x70\xF8\x8C\x85\x1E\x74\x8E\x92\x6D\x1B\x40\xD1\x99\x0D\xBB\x75\x6E\xC8\xA9\x6B\x9A\xC0\x84\x31\xAF\xCA\x43\xCB\xEB\x2B\x34\xE8\x8F\x97\x6B\x01\x9B\xD5\x0E\x4A\x08\xAA\x5B\x92\x74\x85\x43\xD3\x80\xAE\xA1\x88\x5B\xAE\xB3\xEA\x5E\xCB\x16\x9A\x77\x44\xC8\xA1\xF6\x54\x68\xCE\xDE\x8F\x97\x2B\xBA\x5B\x40\x02\x0C\x64\x17\xC0\xB5\x93\xCD\xE1\xF1\x13\x66\xCE\x0C\x79\xEF\xD1\x91\x28\xAB\x5F\xA0\x12\x52\x30\x73\x19\x8E\x8F\xE1\x8C\x07\xA2\xC3\xBB\x4A\xF0\xEA\x1F\x15\xA8\xEE\x25\xCC\xA4\x46\xF8\x1B\x22\xEF\xB3\x0E\x43\xBA\x2C\x24\xB8\xC5\x2C\x5C\xD4\x1C\xF8\x5D\x64\xBD\xC3\x93\x5E\x28\xA7\x3F\x27\xF1\x8E\x1E\xD3\x2A\x50\x05\xA3\x55\xD9\xCB\xE7\x39\x53\xC0\x98\x9E\x8C\x54\x62\x8B\x26\xB0\xF7\x7D\x8D\x7C\xE4\xC6\x9E\x66\x42\x55\x82\x47\xE7\xB2\x58\x8D\x66\xF7\x07\x7C\x2E\x36\xE6\x50\x1C\x3F\xDB\x43\x24\xC5\xBF\x86\x47\x79\xB3\x79\x1C\xF7\x5A\xF4\x13\xEC\x6C\xF8\x3F\xE2\x59\x1F\x95\xEE\x42\x3E\xB9\xAD\xA8\x32\x85\x49\x97\x46\xFE\x4B\x31\x8F\x5A\xCB\xAD\x74\x47\x1F\xE9\x91\xB7\xDF\x28\x04\x22\xA0\xD4\x0F\x5D\xE2\x79\x4F\xEA\x6C\x85\x86\xBD\xA8\xA6\xCE\xE4\xFA\xC3\xE1\xB3\xAE\xDE\x3C\x51\xEE\xCB\x13\x7C\x01\x7F\x84\x0E\x5D\x51\x94\x9E\x13\x0C\xB6\x2E\xA5\x4C\xF9\x39\x70\x36\x6F\x96\xCA\x2E\x0C\x44\x55\xC5\xCA\xFA\x5D\x02\xA3\xDF\xD6\x64\x8C\x5A\xB3\x01\x0A\xA9\xB5\x0A\x47\x17\xFF\xEF\x91\x40\x2A\x8E\xA1\x46\x3A\x31\x98\xE5\x11\xFC\xCC\xBB\x49\x56\x8A\xFC\xB9\xD0\x61\x9A\x6F\x65\x6C\xE6\xC3\xCB\x3E\x75\x49\xFE\x8F\xA7\xE2\x89\xC5\x67\xD7\x9D\x46\x13\x4E\x31\x76\x3B\x24\xB3\x9E\x11\x65\x86\xAB\x7F\xEF\x1D\xD4\xF8\xBC\xE7\xAC\x5A\x5C\xB7\x5A\x47\x5C\x55\xCE\x55\xB4\x22\x71\x5B\x5B\x0B\xF0\xCF\xDC\xA0\x61\x64\xEA\xA9\xD7\x68\x0A\x63\xA7\xE0\x0D\x3F\xA0\xAF\xD3\xAA\xD2\x7E\xEF\x51\xA0\xE6\x51\x2B\x55\x92\x15\x17\x53\xCB\xB7\x66\x0E\x66\x4C\xF8\xF9\x75\x4C\x90\xE7\x12\x70\xC7\x45\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2E\xE3\xDB\xB2\x49\xD0\x9C\x54\x79\x5C\xFA\x27\x2A\xFE\xCC\x4E\xD2\xE8\x4E\x54\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x2E\xE3\xDB\xB2\x49\xD0\x9C\x54\x79\x5C\xFA\x27\x2A\xFE\xCC\x4E\xD2\xE8\x4E\x54\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x05\x37\x3A\xF4\x4D\xB7\x45\xE2\x45\x75\x24\x8F\xB6\x77\x52\xE8\x1C\xD8\x10\x93\x65\xF3\xF2\x59\x06\xA4\x3E\x1E\x29\xEC\x5D\xD1\xD0\xAB\x7C\xE0\x0A\x90\x48\x78\xED\x4E\x98\x03\x99\xFE\x28\x60\x91\x1D\x30\x1D\xB8\x63\x7C\xA8\xE6\x35\xB5\xFA\xD3\x61\x76\xE6\xD6\x07\x4B\xCA\x69\x9A\xB2\x84\x7A\x77\x93\x45\x17\x15\x9F\x24\xD0\x98\x13\x12\xFF\xBB\xA0\x2E\xFD\x4E\x4C\x87\xF8\xCE\x5C\xAA\x98\x1B\x05\xE0\x00\x46\x4A\x82\x80\xA5\x33\x8B\x28\xDC\xED\x38\xD3\xDF\xE5\x3E\xE9\xFE\xFB\x59\xDD\x61\x84\x4F\xD2\x54\x96\x13\x61\x13\x3E\x8F\x80\x69\xBE\x93\x47\xB5\x35\x43\xD2\x5A\xBB\x3D\x5C\xEF\xB3\x42\x47\xCD\x3B\x55\x13\x06\xB0\x09\xDB\xFD\x63\xF6\x3A\x88\x0A\x99\x6F\x7E\xE1\xCE\x1B\x53\x6A\x44\x66\x23\x51\x08\x7B\xBC\x5B\x52\xA2\xFD\x06\x37\x38\x40\x61\x8F\x4A\x96\xB8\x90\x37\xF8\x66\xC7\x78\x90\x00\x15\x2E\x8B\xAD\x51\x35\x53\x07\xA8\x6B\x68\xAE\xF9\x4E\x3C\x07\x26\xCD\x08\x05\x70\xCC\x39\x3F\x76\xBD\xA5\xD3\x67\x26\x01\x86\xA6\x53\xD2\x60\x3B\x7C\x43\x7F\x55\x8A\xBC\x95\x1A\xC1\x28\x39\x4C\x1F\x43\xD2\x91\xF4\x72\x59\x8A\xB9\x56\xFC\x3F\xB4\x9D\xDA\x70\x9C\x76\x5A\x8C\x43\x50\xEE\x8E\x30\x72\x4D\xDF\xFF\x49\xF7\xC6\xA9\x67\xD9\x6D\xAC\x02\x11\xE2\x3A\x16\x25\xA7\x58\x08\xCB\x6F\x53\x41\x9C\x48\x38\x47\x68\x33\xD1\xD7\xC7\x8F\xD4\x74\x21\xD4\xC3\x05\x90\x7A\xFF\xCE\x96\x88\xB1\x15\x29\x5D\x23\xAB\xD0\x60\xA1\x12\x4F\xDE\xF4\x17\xCD\x32\xE5\xC9\xBF\xC8\x43\xAD\xFD\x2E\x8E\xF1\xAF\xE2\xF4\x98\xFA\x12\x1F\x20\xD8\xC0\xA7\x0C\x85\xC5\x90\xF4\x3B\x2D\x96\x26\xB1\x2C\xBE\x4C\xAB\xEB\xB1\xD2\x8A\xC9\xDB\x78\x13\x0F\x1E\x09\x9D\x6D\x8F\x00\x9F\x02\xDA\xC1\xFA\x1F\x7A\x7A\x09\xC4\x4A\xE6\x88\x2A\x97\x9F\x89\x8B\xFD\x37\x5F\x5F\x3A\xCE\x38\x59\x86\x4B\xAF\x71\x0B\xB4\xD8\xF2\x70\x4F\x9F\x32\x13\xE3\xB0\xA7\x57\xE5\xDA\xDA\x43\xCB\x84\x34\xF2\x28\xC4\xEA\x6D\xF4\x2A\xEF\xC1\x6B\x76\xDA\xFB\x7E\xBB\x85\x3C\xD2\x53\xC2\x4D\xBE\x71\xE1\x45\xD1\xFD\x23\x67\x0D\x13\x75\xFB\xCF\x65\x67\x22\x9D\xAE\xB0\x09\xD1\x09\xFF\x1D\x34\xBF\xFE\x23\x97\x37\xD2\x39\xFA\x3D\x0D\x06\x0B\xB4\xDB\x3B\xA3\xAB\x6F\x5C\x1D\xB6\x7E\xE8\xB3\x82\x34\xED\x06\x5C\x24",
+	["CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE"] = "\x30\x82\x03\xC3\x30\x82\x02\xAB\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x30\x1E\x17\x0D\x30\x38\x31\x30\x30\x31\x31\x30\x34\x30\x31\x34\x5A\x17\x0D\x33\x33\x31\x30\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAA\x5F\xDA\x1B\x5F\xE8\x73\x91\xE5\xDA\x5C\xF4\xA2\xE6\x47\xE5\xF3\x68\x55\x60\x05\x1D\x02\xA4\xB3\x9B\x59\xF3\x1E\x8A\xAF\x34\xAD\xFC\x0D\xC2\xD9\x48\x19\xEE\x69\x8F\xC9\x20\xFC\x21\xAA\x07\x19\xED\xB0\x5C\xAC\x65\xC7\x5F\xED\x02\x7C\x7B\x7C\x2D\x1B\xD6\xBA\xB9\x80\xC2\x18\x82\x16\x84\xFA\x66\xB0\x08\xC6\x54\x23\x81\xE4\xCD\xB9\x49\x3F\xF6\x4F\x6E\x37\x48\x28\x38\x0F\xC5\xBE\xE7\x68\x70\xFD\x39\x97\x4D\xD2\xC7\x98\x91\x50\xAA\xC4\x44\xB3\x23\x7D\x39\x47\xE9\x52\x62\xD6\x12\x93\x5E\xB7\x31\x96\x42\x05\xFB\x76\xA7\x1E\xA3\xF5\xC2\xFC\xE9\x7A\xC5\x6C\xA9\x71\x4F\xEA\xCB\x78\xBC\x60\xAF\xC7\xDE\xF4\xD9\xCB\xBE\x7E\x33\xA5\x6E\x94\x83\xF0\x34\xFA\x21\xAB\xEA\x8E\x72\xA0\x3F\xA4\xDE\x30\x5B\xEF\x86\x4D\x6A\x95\x5B\x43\x44\xA8\x10\x15\x1C\xE5\x01\x57\xC5\x98\xF1\xE6\x06\x28\x91\xAA\x20\xC5\xB7\x53\x26\x51\x43\xB2\x0B\x11\x95\x58\xE1\xC0\x0F\x76\xD9\xC0\x8D\x7C\x81\xF3\x72\x70\x9E\x6F\xFE\x1A\x8E\xD9\x5F\x35\xC6\xB2\x6F\x34\x7C\xBE\x48\x4F\xE2\x5A\x39\xD7\xD8\x9D\x78\x9E\x9F\x86\x3E\x03\x5E\x19\x8B\x44\xA2\xD5\xC7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBF\x59\x20\x36\x00\x79\xA0\xA0\x22\x6B\x8C\xD5\xF2\x61\xD2\xB8\x2C\xCB\x82\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x31\x03\xA2\x61\x0B\x1F\x74\xE8\x72\x36\xC6\x6D\xF9\x4D\x9E\xFA\x22\xA8\xE1\x81\x56\xCF\xCD\xBB\x9F\xEA\xAB\x91\x19\x38\xAF\xAA\x7C\x15\x4D\xF3\xB6\xA3\x8D\xA5\xF4\x8E\xF6\x44\xA9\xA7\xE8\x21\x95\xAD\x3E\x00\x62\x16\x88\xF0\x02\xBA\xFC\x61\x23\xE6\x33\x9B\x30\x7A\x6B\x36\x62\x7B\xAD\x04\x23\x84\x58\x65\xE2\xDB\x2B\x8A\xE7\x25\x53\x37\x62\x53\x5F\xBC\xDA\x01\x62\x29\xA2\xA6\x27\x71\xE6\x3A\x22\x7E\xC1\x6F\x1D\x95\x70\x20\x4A\x07\x34\xDF\xEA\xFF\x15\x80\xE5\xBA\xD7\x7A\xD8\x5B\x75\x7C\x05\x7A\x29\x47\x7E\x40\xA8\x31\x13\x77\xCD\x40\x3B\xB4\x51\x47\x7A\x2E\x11\xE3\x47\x11\xDE\x9D\x66\xD0\x8B\xD5\x54\x66\xFA\x83\x55\xEA\x7C\xC2\x29\x89\x1B\xE9\x6F\xB3\xCE\xE2\x05\x84\xC9\x2F\x3E\x78\x85\x62\x6E\xC9\x5F\xC1\x78\x63\x74\x58\xC0\x48\x18\x0C\x99\x39\xEB\xA4\xCC\x1A\xB5\x79\x5A\x8D\x15\x9C\xD8\x14\x0D\xF6\x7A\x07\x57\xC7\x22\x83\x05\x2D\x3C\x9B\x25\x26\x3D\x18\xB3\xA9\x43\x7C\xC8\xC8\xAB\x64\x8F\x0E\xA3\xBF\x9C\x1B\x9D\x30\xDB\xDA\xD0\x19\x2E\xAA\x3C\xF1\xFB\x33\x80\x76\xE4\xCD\xAD\x19\x4F\x05\x27\x8E\x13\xA1\x6E\xC2",
+	["C=DE,O=Atos,CN=Atos TrustedRoot 2011"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x08\x5C\x33\xCB\x62\x2C\x5F\xB3\x32\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x3C\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x0C\x15\x41\x74\x6F\x73\x20\x54\x72\x75\x73\x74\x65\x64\x52\x6F\x6F\x74\x20\x32\x30\x31\x31\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x74\x6F\x73\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x30\x1E\x17\x0D\x31\x31\x30\x37\x30\x37\x31\x34\x35\x38\x33\x30\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x3C\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x0C\x15\x41\x74\x6F\x73\x20\x54\x72\x75\x73\x74\x65\x64\x52\x6F\x6F\x74\x20\x32\x30\x31\x31\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x74\x6F\x73\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x95\x85\x3B\x97\x6F\x2A\x3B\x2E\x3B\xCF\xA6\xF3\x29\x35\xBE\xCF\x18\xAC\x3E\xAA\xD9\xF8\x4D\xA0\x3E\x1A\x47\xB9\xBC\x9A\xDF\xF2\xFE\xCC\x3E\x47\xE8\x7A\x96\xC2\x24\x8E\x35\xF4\xA9\x0C\xFC\x82\xFD\x6D\xC1\x72\x62\x27\xBD\xEA\x6B\xEB\xE7\x8A\xCC\x54\x3E\x90\x50\xCF\x80\xD4\x95\xFB\xE8\xB5\x82\xD4\x14\xC5\xB6\xA9\x55\x25\x57\xDB\xB1\x50\xF6\xB0\x60\x64\x59\x7A\x69\xCF\x03\xB7\x6F\x0D\xBE\xCA\x3E\x6F\x74\x72\xEA\xAA\x30\x2A\x73\x62\xBE\x49\x91\x61\xC8\x11\xFE\x0E\x03\x2A\xF7\x6A\x20\xDC\x02\x15\x0D\x5E\x15\x6A\xFC\xE3\x82\xC1\xB5\xC5\x9D\x64\x09\x6C\xA3\x59\x98\x07\x27\xC7\x1B\x96\x2B\x61\x74\x71\x6C\x43\xF1\xF7\x35\x89\x10\xE0\x9E\xEC\x55\xA1\x37\x22\xA2\x87\x04\x05\x2C\x47\x7D\xB4\x1C\xB9\x62\x29\x66\x28\xCA\xB7\xE1\x93\xF5\xA4\x94\x03\x99\xB9\x70\x85\xB5\xE6\x48\xEA\x8D\x50\xFC\xD9\xDE\xCC\x6F\x07\x0E\xDD\x0B\x72\x9D\x80\x30\x16\x07\x95\x3F\x28\x0E\xFD\xC5\x75\x4F\x53\xD6\x74\x9A\xB4\x24\x2E\x8E\x02\x91\xCF\x76\xC5\x9B\x1E\x55\x74\x9C\x78\x21\xB1\xF0\x2D\xF1\x0B\x9F\xC2\xD5\x96\x18\x1F\xF0\x54\x22\x7A\x8C\x07\x02\x03\x01\x00\x01\xA3\x7D\x30\x7B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA7\xA5\x06\xB1\x2C\xA6\x09\x60\xEE\xD1\x97\xE9\x70\xAE\xBC\x3B\x19\x6C\xDB\x21\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA7\xA5\x06\xB1\x2C\xA6\x09\x60\xEE\xD1\x97\xE9\x70\xAE\xBC\x3B\x19\x6C\xDB\x21\x30\x18\x06\x03\x55\x1D\x20\x04\x11\x30\x0F\x30\x0D\x06\x0B\x2B\x06\x01\x04\x01\xB0\x2D\x03\x04\x01\x01\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x26\x77\x34\xDB\x94\x48\x86\x2A\x41\x9D\x2C\x3E\x06\x90\x60\xC4\x8C\xAC\x0B\x54\xB8\x1F\xB9\x7B\xD3\x07\x39\xE4\xFA\x3E\x7B\xB2\x3D\x4E\xED\x9F\x23\xBD\x97\xF3\x6B\x5C\xEF\xEE\xFD\x40\xA6\xDF\xA1\x93\xA1\x0A\x86\xAC\xEF\x20\xD0\x79\x01\xBD\x78\xF7\x19\xD8\x24\x31\x34\x04\x01\xA6\xBA\x15\x9A\xC3\x27\xDC\xD8\x4F\x0F\xCC\x18\x63\xFF\x99\x0F\x0E\x91\x6B\x75\x16\xE1\x21\xFC\xD8\x26\xC7\x47\xB7\xA6\xCF\x58\x72\x71\x7E\xBA\xE1\x4D\x95\x47\x3B\xC9\xAF\x6D\xA1\xB4\xC1\xEC\x89\xF6\xB4\x0F\x38\xB5\xE2\x64\xDC\x25\xCF\xA6\xDB\xEB\x9A\x5C\x99\xA1\xC5\x08\xDE\xFD\xE6\xDA\xD5\xD6\x5A\x45\x0C\xC4\xB7\xC2\xB5\x14\xEF\xB4\x11\xFF\x0E\x15\xB5\xF5\xF5\xDB\xC6\xBD\xEB\x5A\xA7\xF0\x56\x22\xA9\x3C\x65\x54\xC6\x15\xA8\xBD\x86\x9E\xCD\x83\x96\x68\x7A\x71\x81\x89\xE1\x0B\xE1\xEA\x11\x1B\x68\x08\xCC\x69\x9E\xEC\x9E\x41\x9E\x44\x32\x26\x7A\xE2\x87\x0A\x71\x3D\xEB\xE4\x5A\xA4\xD2\xDB\xC5\xCD\xC6\xDE\x60\x7F\xB9\xF3\x4F\x44\x92\xEF\x2A\xB7\x18\x3E\xA7\x19\xD9\x0B\x7D\xB1\x37\x41\x42\xB0\xBA\x60\x1D\xF2\xFE\x09\x11\xB0\xF0\x87\x7B\xA7\x9D",
 };

From 2be0cb210ad437992507203e7802c8012d981f34 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 28 Feb 2014 15:26:35 -0800
Subject: [PATCH 064/220] Updating CHANGES and VERSION.

---
 CHANGES | 4 ++++
 NEWS    | 2 ++
 VERSION | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 3b5c29cdc8..f2ec3ef3a5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-194 | 2014-02-28 14:50:53 -0800
+
+  * Remove packet sorter. Addresses BIT-700. (Bernhard Amann)
+    
 2.2-192 | 2014-02-28 09:46:43 -0800
 
   * Update Mozilla root bundle. (Bernhard Amann)
diff --git a/NEWS b/NEWS
index 9b87de3e41..54ee916d5b 100644
--- a/NEWS
+++ b/NEWS
@@ -47,6 +47,8 @@ Changed Functionality
 
   TODO: Update if we add a detector for filtered traces.
 
+- We have removed the packet sorter component.
+
 Bro 2.2
 =======
 
diff --git a/VERSION b/VERSION
index df4bb3a595..c133a83bd4 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-192
+2.2-194

From ffd219e3b0739ebc0c55158d54cb16642a253ac3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 28 Feb 2014 15:28:20 -0800
Subject: [PATCH 065/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 5e1a917880..07349a4593 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5e1a917880143ec824ffbe1ffaa6fc176c47b611
+Subproject commit 07349a459372d72b333bbc50e5f70584520c0bb3

From f2f817c8b15bf104904390d6abd38a0e5c33f53e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 28 Feb 2014 15:36:58 -0800
Subject: [PATCH 066/220] Forgot to remove test code when merging.

---
 CHANGES       | 4 ++++
 VERSION       | 2 +-
 src/PktSrc.cc | 6 ------
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index f2ec3ef3a5..4cb4ad82c0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-197 | 2014-02-28 15:36:58 -0800
+
+  * Remove test code. (Robin Sommer)
+
 2.2-194 | 2014-02-28 14:50:53 -0800
 
   * Remove packet sorter. Addresses BIT-700. (Bernhard Amann)
diff --git a/VERSION b/VERSION
index c133a83bd4..90e2bd5d51 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-194
+2.2-197
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
index 528f10f92c..b5ac3a5d69 100644
--- a/src/PktSrc.cc
+++ b/src/PktSrc.cc
@@ -220,12 +220,6 @@ void PktSrc::Process()
 		break;
 		}
 
-	case DLT_IEEE802_11:
-		{
-			printf("Here\n");
-			exit(0);
-		}
-
 	case DLT_EN10MB:
 		{
 		// Get protocol being carried from the ethernet frame.

From 338d521003c66531b53dfe84755e2b3479d88d32 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 2 Mar 2014 13:52:32 -0800
Subject: [PATCH 067/220] Fixing removal of support analyzers, plus some
 tweaking and cleanup of CONNECT code.

Removal of support analyzers was broken. The code now actually doesn't
delete them immediately anymore but instead just flags them as
disabled. They'll be destroyed with the parent analyzer later.

Also includes a new leak tests exercising the CONNECT code.

Lines starting # with '#' will be ignored, and an empty message aborts
the commit. # On branch topic/robin/http-connect # Changes to be
committed: # modified: scripts/base/protocols/http/main.bro #
modified: scripts/base/protocols/ssl/consts.bro # modified:
src/analyzer/Analyzer.cc # modified: src/analyzer/Analyzer.h #
modified: src/analyzer/protocol/http/HTTP.cc # new file:
testing/btest/core/leaks/http-connect.bro # modified:
testing/btest/scripts/base/protocols/http/http-connect.bro # #
Untracked files: # .tags # changes.txt # conn.log # debug.log # diff #
mpls-in-vlan.patch # newfile.pcap # packet_filter.log # reporter.log #
src/PktSrc.cc.orig # weird.log #
---
 scripts/base/protocols/http/main.bro          |   2 +-
 scripts/base/protocols/ssl/consts.bro         |   1 +
 src/analyzer/Analyzer.cc                      | 114 ++++++++++--------
 src/analyzer/Analyzer.h                       |  29 ++++-
 src/analyzer/protocol/http/HTTP.cc            |  26 ++--
 testing/btest/core/leaks/http-connect.bro     |  14 +++
 .../base/protocols/http/http-connect.bro      |   7 +-
 7 files changed, 128 insertions(+), 65 deletions(-)
 create mode 100644 testing/btest/core/leaks/http-connect.bro

diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index 27257be2d6..ed20bc6586 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -218,7 +218,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		c$http$info_code = code;
 		c$http$info_msg = reason;
 		}
-	
+
 	if ( c$http?$method && c$http$method == "CONNECT" && code == 200 )
 		{
 		# Copy this conn_id and set the orig_p to zero because in the case of CONNECT proxies there will
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 55289a7419..b81aebfbbb 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -86,6 +86,7 @@ export {
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
+		[30031] = "channel_id",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index 03734f1a22..63462c0049 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -209,11 +209,11 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq,
 	if ( skip )
 		return;
 
-	// If we have support analyzers, we pass it to them.
-	if ( is_orig && orig_supporters )
-		orig_supporters->NextPacket(len, data, is_orig, seq, ip, caplen);
-	else if ( ! is_orig && resp_supporters )
-		resp_supporters->NextPacket(len, data, is_orig, seq, ip, caplen);
+	SupportAnalyzer* next_sibling = FirstSupportAnalyzer(is_orig);
+
+	if ( next_sibling )
+		next_sibling->NextPacket(len, data, is_orig, seq, ip, caplen);
+
 	else
 		{
 		try
@@ -232,11 +232,11 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 	if ( skip )
 		return;
 
-	// If we have support analyzers, we pass it to them.
-	if ( is_orig && orig_supporters )
-		orig_supporters->NextStream(len, data, is_orig);
-	else if ( ! is_orig && resp_supporters )
-		resp_supporters->NextStream(len, data, is_orig);
+	SupportAnalyzer* next_sibling = FirstSupportAnalyzer(is_orig);
+
+	if ( next_sibling )
+		next_sibling->NextStream(len, data, is_orig);
+
 	else
 		{
 		try
@@ -255,11 +255,11 @@ void Analyzer::NextUndelivered(int seq, int len, bool is_orig)
 	if ( skip )
 		return;
 
-	// If we have support analyzers, we pass it to them.
-	if ( is_orig && orig_supporters )
-		orig_supporters->NextUndelivered(seq, len, is_orig);
-	else if ( ! is_orig && resp_supporters )
-		resp_supporters->NextUndelivered(seq, len, is_orig);
+	SupportAnalyzer* next_sibling = FirstSupportAnalyzer(is_orig);
+
+	if ( next_sibling )
+		next_sibling->NextUndelivered(seq, len, is_orig);
+
 	else
 		{
 		try
@@ -278,11 +278,10 @@ void Analyzer::NextEndOfData(bool is_orig)
 	if ( skip )
 		return;
 
-	// If we have support analyzers, we pass it to them.
-	if ( is_orig && orig_supporters )
-		orig_supporters->NextEndOfData(is_orig);
-	else if ( ! is_orig && resp_supporters )
-		resp_supporters->NextEndOfData(is_orig);
+	SupportAnalyzer* next_sibling = FirstSupportAnalyzer(is_orig);
+
+	if ( next_sibling )
+		next_sibling->NextEndOfData(is_orig);
 	else
 		EndOfData(is_orig);
 	}
@@ -558,31 +557,17 @@ void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer)
 
 void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer)
 	{
-	SupportAnalyzer** head =
-		analyzer->IsOrig() ? &orig_supporters : &resp_supporters;
-
-	SupportAnalyzer* prev = 0;
-	SupportAnalyzer* s;
-	for ( s = *head; s && s != analyzer; prev = s, s = s->sibling )
-		;
-
-	if ( ! s )
-		return;
-
-	if ( prev )
-		prev->sibling = s->sibling;
-	else
-		*head = s->sibling;
-
-	DBG_LOG(DBG_ANALYZER, "%s removed support %s",
+	DBG_LOG(DBG_ANALYZER, "%s disabled %s support analyzer %s",
 			fmt_analyzer(this).c_str(),
 			analyzer->IsOrig() ? "originator" : "responder",
 			fmt_analyzer(analyzer).c_str());
 
-	if ( ! analyzer->finished )
-		analyzer->Done();
-
-	delete analyzer;
+	// We mark the analyzer as being removed here, which will prevent it
+	// from being used further. However, we don't actually delete it
+	// before the parent gets destroyed. While we woulc do that, it's a
+	// bit tricky to do at the right time and it doesn't seem worth the
+	// trouble.
+	analyzer->removing = true;
 	return;
 	}
 
@@ -596,6 +581,19 @@ bool Analyzer::HasSupportAnalyzer(Tag tag, bool orig)
 	return false;
 	}
 
+SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig)
+	{
+	SupportAnalyzer* sa = orig ? orig_supporters : resp_supporters;
+
+	if ( ! sa )
+		return 0;
+
+	if ( ! sa->Removing() )
+		return sa;
+
+	return sa->Sibling(true);
+	}
+
 void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 				int seq, const IP_Hdr* ip, int caplen)
 	{
@@ -782,16 +780,32 @@ void Analyzer::Weird(const char* name, const char* addl)
 	conn->Weird(name, addl);
 	}
 
+SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const
+	{
+	if ( ! only_active )
+		return sibling;
+
+	SupportAnalyzer* next = sibling;
+	while ( next && next->Removing() )
+		next = next->sibling;
+
+	return next;
+	}
+
 void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 					int seq, const IP_Hdr* ip, int caplen)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
+
 	if ( GetOutputHandler() )
 		GetOutputHandler()->DeliverPacket(len, data, is_orig, seq,
 							ip, caplen);
-	else if ( sibling )
+
+	SupportAnalyzer* next_sibling = Sibling(true);
+
+	if ( next_sibling )
 		// Pass to next in chain.
-		sibling->NextPacket(len, data, is_orig, seq, ip, caplen);
+		next_sibling->NextPacket(len, data, is_orig, seq, ip, caplen);
 	else
 		// Finished with preprocessing - now it's the parent's turn.
 		Parent()->DeliverPacket(len, data, is_orig, seq, ip, caplen);
@@ -800,12 +814,15 @@ void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
+
 	if ( GetOutputHandler() )
 		GetOutputHandler()->DeliverStream(len, data, is_orig);
 
-	else if ( sibling )
+	SupportAnalyzer* next_sibling = Sibling(true);
+
+	if ( next_sibling )
 		// Pass to next in chain.
-		sibling->NextStream(len, data, is_orig);
+		next_sibling->NextStream(len, data, is_orig);
 	else
 		// Finished with preprocessing - now it's the parent's turn.
 		Parent()->DeliverStream(len, data, is_orig);
@@ -814,12 +831,15 @@ void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
+
 	if ( GetOutputHandler() )
 		GetOutputHandler()->Undelivered(seq, len, is_orig);
 
-	else if ( sibling )
+	SupportAnalyzer* next_sibling = Sibling(true);
+
+	if ( next_sibling )
 		// Pass to next in chain.
-		sibling->NextUndelivered(seq, len, is_orig);
+		next_sibling->NextUndelivered(seq, len, is_orig);
 	else
 		// Finished with preprocessing - now it's the parent's turn.
 		Parent()->Undelivered(seq, len, is_orig);
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index f7ca07ca51..578020082b 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -587,7 +587,7 @@ protected:
 	void RemoveTimer(Timer* t);
 
 	/**
-	 * Returnsn true if the analyzer has associated an SupportAnalyzer of a given type.
+	 * Returns true if the analyzer has associated an SupportAnalyzer of a given type.
 	 *
 	 * @param tag The type to check for.
 	 *
@@ -595,6 +595,14 @@ protected:
 	 */
 	bool HasSupportAnalyzer(Tag tag, bool orig);
 
+	/**
+	 * Returns the first still active support analyzer for the given
+	 * direction, or null if none.
+	 *
+	 * @param orig True if asking about the originator side.
+	 */
+	SupportAnalyzer* FirstSupportAnalyzer(bool orig);
+
 	/**
 	 * Adds a a new child analyzer with the option whether to intialize
 	 * it. This is an internal method.
@@ -616,6 +624,12 @@ protected:
 	 */
 	void AppendNewChildren();
 
+	/**
+	 * Returns true if the analyzer has been flagged for removal and
+	 * shouldn't be used otherwise anymore.
+	 */
+	bool Removing() const	{ return removing; }
+
 private:
 	// Internal method to eventually delete a child analyzer that's
 	// already Done().
@@ -718,6 +732,14 @@ public:
 	 */
 	bool IsOrig() const 	{ return orig; }
 
+	/**
+	 * Returns the analyzer's next sibling, or null if none.
+	 *
+	 * only_active: If true, this will skip siblings that are still link
+	 * but flagged for removal.
+	 */
+	SupportAnalyzer* Sibling(bool only_active = false) const;
+
 	/**
 	* Passes packet input to the next sibling SupportAnalyzer if any, or
 	* on to the associated main analyzer if none. If however there's an
@@ -749,11 +771,6 @@ public:
 	*/
 	virtual void ForwardUndelivered(int seq, int len, bool orig);
 
-	/**
-	 * Returns the analyzer next sibling, or null if none.
-	 */
-	SupportAnalyzer* Sibling() const 	{ return sibling; }
-
 protected:
 	friend class Analyzer;
 
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 93dbfbcb2e..0d49bb037f 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -950,7 +950,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 	if ( pia )
 		{
-		// There will be a PIA instance if this connection has been identified 
+		// There will be a PIA instance if this connection has been identified
 		// as a connect proxy.
 		ForwardStream(len, data, is_orig);
 		return;
@@ -1066,14 +1066,10 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 				HTTP_Reply();
 
-				InitHTTPMessage(content_line,
-						reply_message, is_orig,
-						ExpectReplyMessageBody(),
-						len);
-
 				if ( connect_request && reply_code == 200 )
 					{
 					pia = new pia::PIA_TCP(Conn());
+
 					if ( AddChildAnalyzer(pia) )
 						{
 						pia->FirstPacket(true, 0);
@@ -1084,13 +1080,22 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						// need to be removed.
 						RemoveSupportAnalyzer(content_line_orig);
 						RemoveSupportAnalyzer(content_line_resp);
+
+						return;
 						}
+
 					else
 						{
+						// Shouldn't really happen.
+						delete pia;
 						pia = 0;
 						}
 					}
 
+				InitHTTPMessage(content_line,
+						reply_message, is_orig,
+						ExpectReplyMessageBody(),
+						len);
 				}
 			else
 				{
@@ -1422,6 +1427,12 @@ void HTTP_Analyzer::HTTP_Request()
 	{
 	ProtocolConfirmation();
 
+	const char* method = (const char*) request_method->AsString()->Bytes();
+	int method_len = request_method->AsString()->Len();
+
+	if ( strcasecmp_n(method_len, method, "CONNECT") == 0 )
+		connect_request = true;
+
 	if ( http_request )
 		{
 		val_list* vl = new val_list;
@@ -1436,9 +1447,6 @@ void HTTP_Analyzer::HTTP_Request()
 		// DEBUG_MSG("%.6f http_request\n", network_time);
 		ConnectionEvent(http_request, vl);
 		}
-
-	if ( strcasecmp_n(request_method->AsString()->Len(), (const char*) (request_method->AsString()->Bytes()), "CONNECT") == 0 )
-		connect_request = true;
 	}
 
 void HTTP_Analyzer::HTTP_Reply()
diff --git a/testing/btest/core/leaks/http-connect.bro b/testing/btest/core/leaks/http-connect.bro
new file mode 100644
index 0000000000..e9a47d00a2
--- /dev/null
+++ b/testing/btest/core/leaks/http-connect.bro
@@ -0,0 +1,14 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+
+@load base/protocols/conn
+@load base/protocols/http
+@load base/protocols/smtp
+@load base/protocols/tunnels
+@load base/frameworks/dpd
diff --git a/testing/btest/scripts/base/protocols/http/http-connect.bro b/testing/btest/scripts/base/protocols/http/http-connect.bro
index d8157e2c49..7073d88ac2 100644
--- a/testing/btest/scripts/base/protocols/http/http-connect.bro
+++ b/testing/btest/scripts/base/protocols/http/http-connect.bro
@@ -6,6 +6,9 @@
 # @TEST-EXEC: btest-diff smtp.log
 # @TEST-EXEC: btest-diff tunnel.log
 
-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
+@load base/protocols/conn
+@load base/protocols/http
+@load base/protocols/smtp
+@load base/protocols/tunnels
+@load base/frameworks/dpd
 

From ac9c44afd872d0ac837871723f2b8ae0a7042415 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 2 Mar 2014 13:57:10 -0800
Subject: [PATCH 068/220] Updating submodule(s).

 [nomail]
---
 aux/broctl   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index 66793ec3c6..07349a4593 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 66793ec3c602439e235bee705b654aefb7ac8dec
+Subproject commit 07349a459372d72b333bbc50e5f70584520c0bb3
diff --git a/src/3rdparty b/src/3rdparty
index 42a4c9694a..e96d95a130 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 42a4c9694a2b2677b050fbb7cbae26bc5ec4605a
+Subproject commit e96d95a130a572b611fe70b3c3ede2b4727aaa22

From d0f8edb2a4affa843918afc568a4b040d308560a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 11 Feb 2014 15:30:22 -0500
Subject: [PATCH 069/220] Expanding the HTTP methods used in the signature to
 detect HTTP traffic.

---
 scripts/base/protocols/http/dpd.sig | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/http/dpd.sig b/scripts/base/protocols/http/dpd.sig
index 13470f4e95..3e264f0bb3 100644
--- a/scripts/base/protocols/http/dpd.sig
+++ b/scripts/base/protocols/http/dpd.sig
@@ -1,6 +1,8 @@
+# List of HTTP headers pulled from:
+#   http://annevankesteren.nl/2007/10/http-methods
 signature dpd_http_client {
   ip-proto == tcp
-  payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/
+  payload /^[[:space:]]*(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH|BCOPY|BDELETE|BMOVE|BPROPFIND|BPROPPATCH|NOTIFY|POLL|SUBSCRIBE|UNSUBSCRIBE|X-MS-ENUMATTS|RPC_OUT_DATA|RPC_IN_DATA)[[:space:]]*/
   tcp-state originator
 }
 
@@ -11,3 +13,5 @@ signature dpd_http_server {
   requires-reverse-signature dpd_http_client
   enable "http"
 }
+
+

From 0f4c7080cc81e9bc66168d6612b80b3af7b54514 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 3 Mar 2014 07:09:38 -0800
Subject: [PATCH 070/220] HTTP fix for output handlers.

Had broken that with the CONNECT change.
---
 src/analyzer/Analyzer.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index 63462c0049..b280cbb6f8 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -798,8 +798,11 @@ void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
 	// We do not call parent's method, as we're replacing the functionality.
 
 	if ( GetOutputHandler() )
+		{
 		GetOutputHandler()->DeliverPacket(len, data, is_orig, seq,
 							ip, caplen);
+		return;
+		}
 
 	SupportAnalyzer* next_sibling = Sibling(true);
 
@@ -816,7 +819,10 @@ void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 	// We do not call parent's method, as we're replacing the functionality.
 
 	if ( GetOutputHandler() )
+		{
 		GetOutputHandler()->DeliverStream(len, data, is_orig);
+		return;
+		}
 
 	SupportAnalyzer* next_sibling = Sibling(true);
 
@@ -833,7 +839,10 @@ void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
 	// We do not call parent's method, as we're replacing the functionality.
 
 	if ( GetOutputHandler() )
+		{
 		GetOutputHandler()->Undelivered(seq, len, is_orig);
+		return;
+		}
 
 	SupportAnalyzer* next_sibling = Sibling(true);
 

From a1f2ab34ac6781d1eb1eb6ca94bb48cbc8312a4a Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 3 Mar 2014 10:49:28 -0800
Subject: [PATCH 071/220] Add verify functionality, including the ability to
 get the validated chain. This means that it is now possible to get
 information about the root-certificates that were used to secure a
 connection.

Intermediate commit before changing the script interface again.

addresses BIT-953, BIT-760
---
 scripts/base/files/x509/main.bro              |  11 +-
 scripts/base/init-bare.bro                    |  18 +-
 src/Type.h                                    |  13 ++
 src/file_analysis/analyzer/x509/X509.cc       |  55 +++---
 src/file_analysis/analyzer/x509/X509.h        |  11 +-
 src/file_analysis/analyzer/x509/events.bif    |   8 +-
 src/file_analysis/analyzer/x509/functions.bif | 171 ++++++++++++++++++
 src/file_analysis/analyzer/x509/types.bif     |   2 +-
 8 files changed, 249 insertions(+), 40 deletions(-)
 create mode 100644 src/file_analysis/analyzer/x509/functions.bif

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index d19327f07c..7f7ff3064a 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -5,24 +5,27 @@ module X509;
 
 export {
 	redef enum Log::ID += { LOG };
+
+	redef record Files::Info += {
+	};
 }
 
-event x509_cert(f: fa_file, cert: X509::Certificate)
+event x509_cert(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
 	{
 	print cert;
 	}
 
-event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension)
+event x509_extension(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::Extension)
 {
 print ext;
 }
 
-event x509_ext_basic_constraints(f: fa_file, cert: X509::Certificate, ext: X509::BasicConstraints)
+event x509_ext_basic_constraints(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::BasicConstraints)
 {
 print ext;
 }
 
-event x509_ext_subject_alternative_name(f: fa_file, cert: X509::Certificate, ext: X509::SubjectAlternativeName) 
+event x509_ext_subject_alternative_name(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: string_vec) 
 {
 print ext;
 }
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index e4c1803fcb..12b056a541 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -46,6 +46,13 @@ type index_vec: vector of count;
 ##    directly and then remove this alias.
 type string_vec: vector of string;
 
+## A vector of x509 opaques.
+##
+## .. todo:: We need this type definition only for declaring builtin functions
+##    via ``bifcl``. We should extend ``bifcl`` to understand composite types
+##    directly and then remove this alias.
+type x509_opaque_vector: vector of opaque of x509;
+
 ## A vector of addresses.
 ##
 ## .. todo:: We need this type definition only for declaring builtin functions
@@ -2744,7 +2751,6 @@ export {
 module X509;
 export {
 	type X509::Certificate: record {
-		certificate: opaque of x509; ##< OpenSSL certificate reference
 		version: count;	##< Version number.
 		serial: string;	##< Serial number.
 		subject: string;	##< Subject.
@@ -2774,8 +2780,14 @@ export {
 		path_len: count &optional;
 	};
 	
-	type X509::SubjectAlternativeName: record {
-		names: vector of string;
+	## Result of an X509 certificate chain verification
+	type X509::Result: record {
+		## OpenSSL result code
+		result:	count;
+		## Result as string
+		result_string: string;
+		## References to the final certificate chain, if verification successful. End-host certificate is first.
+		chain_certs: vector of opaque of x509 &optional;
 	};
 }
 		
diff --git a/src/Type.h b/src/Type.h
index 742b933ec1..323938d4c5 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -73,6 +73,7 @@ class EnumType;
 class Serializer;
 class VectorType;
 class TypeType;
+class OpaqueType;
 
 const int DOES_NOT_MATCH_INDEX = 0;
 const int MATCHES_INDEX_SCALAR = 1;
@@ -204,6 +205,18 @@ public:
 		return (VectorType*) this;
 		}
 
+	OpaqueType* AsOpaqueType()
+		{
+		CHECK_TYPE_TAG(TYPE_OPAQUE, "BroType::AsOpaqueType");
+		return (OpaqueType*) this;
+		}
+
+	const OpaqueType* AsOpaqueType() const
+		{
+		CHECK_TYPE_TAG(TYPE_OPAQUE, "BroType::AsOpaqueType");
+		return (OpaqueType*) this;
+		}
+
 	VectorType* AsVectorType()
 	        {
 		CHECK_TYPE_TAG(TYPE_VECTOR, "BroType::AsVectorType");
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 684f4f54ba..a254188585 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -49,7 +49,17 @@ bool file_analysis::X509::EndOfFile()
 		return false;
 		}
 
-	RecordVal* cert_record = ParseCertificate(ssl_cert); // cert_record takes ownership of ssl_cert
+	X509Val* cert_val = new X509Val(ssl_cert); // cert_val takes ownership of ssl_cert
+
+	RecordVal* cert_record = ParseCertificate(cert_val); // parse basic information into record
+
+	// and send	the record on to scriptland
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(cert_val->Ref());
+	vl->append(cert_record->Ref()); // we Ref it here, because we want to keep a copy around for now...
+
+	mgr.QueueEvent(x509_cert, vl);
 
 	// after parsing the certificate - parse the extensions...
 
@@ -60,7 +70,7 @@ bool file_analysis::X509::EndOfFile()
 		if ( !ex )
 			continue;
 
-		ParseExtension(ex, cert_record);
+		ParseExtension(ex, cert_record, cert_val);
 		}
 	
 	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -69,34 +79,36 @@ bool file_analysis::X509::EndOfFile()
 	// The certificate will be freed when the last X509Val is Unref'd.
 	
 	Unref(cert_record); // Unref the RecordVal that we kept around from ParseCertificate
+	Unref(cert_val); // Same for cert_val
 
 	return false;
 	}
 
-RecordVal* file_analysis::X509::ParseCertificate(::X509* ssl_cert) 
+RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) 
 	{
+	::X509* ssl_cert = cert_val->GetCertificate();
+
 	char buf[256]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, 256);
 	
 	RecordVal* pX509Cert = new RecordVal(BifType::Record::X509::Certificate);
 	BIO *bio = BIO_new(BIO_s_mem());
 
-	pX509Cert->Assign(0, new X509Val(ssl_cert)); // take ownership for cleanup
-	pX509Cert->Assign(1, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
+	pX509Cert->Assign(0, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
 	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
 	int len = BIO_read(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(2, new StringVal(len, buf));
+	pX509Cert->Assign(1, new StringVal(len, buf));
 
 	X509_NAME_print_ex(bio, X509_get_subject_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(3, new StringVal(len, buf));
+	pX509Cert->Assign(2, new StringVal(len, buf));
 	X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
 	len = BIO_gets(bio, &(*buf), sizeof buf);
-	pX509Cert->Assign(4, new StringVal(len, buf));
+	pX509Cert->Assign(3, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
-	pX509Cert->Assign(6, new Val(get_time_from_asn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(4, new Val(get_time_from_asn1(X509_get_notBefore(ssl_cert)), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(get_time_from_asn1(X509_get_notAfter(ssl_cert)), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
@@ -141,16 +153,11 @@ RecordVal* file_analysis::X509::ParseCertificate(::X509* ssl_cert)
 			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
 		}
 
-	val_list* vl = new val_list();
-	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Cert->Ref()); // we Ref it here, because we want to keep a copy around for now...
-
-	mgr.QueueEvent(x509_cert, vl);
 
 	return pX509Cert;
 	}
 
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r) 
+void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val) 
 	{
 	char name[256];
 	char oid[256];
@@ -196,6 +203,7 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r)
 	// but I am not sure if there is a better way to do it...
 	val_list* vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(cert_val->Ref());
 	vl->append(r->Ref());
 	vl->append(pX509Ext);
 
@@ -203,12 +211,12 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r)
 
 	// look if we have a specialized handler for this event...
 	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) 
-		ParseBasicConstraints(ex, r);
+		ParseBasicConstraints(ex, r, cert_val);
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex, r);
+		ParseSAN(ex, r, cert_val);
 	}
 
-void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r) 
+void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
 	
@@ -226,6 +234,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r
 		}
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(cert_val->Ref());
 		vl->append(r->Ref());
 		vl->append(pBasicConstraint);
 
@@ -234,7 +243,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r
 		}
 	}
 
-void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r) 
+void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r, X509Val* cert_val) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
 
@@ -273,13 +282,11 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r)
 			}
 		}
 
-		RecordVal* pSan = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
-		pSan->Assign(0, names);
-
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(cert_val->Ref());
 		vl->append(r->Ref());
-		vl->append(pSan);
+		vl->append(names);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
 	}
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index f64aa3eb58..b535ebe256 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -12,12 +12,16 @@
 
 namespace file_analysis {
 
+class X509Val;
+
 class X509 : public file_analysis::Analyzer {
 public:
 	//~X509();
 
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
+	
+	static RecordVal* ParseCertificate(X509Val* cert_val);
 
 	virtual bool DeliverStream(const u_char* data, uint64 len);
 	virtual bool Undelivered(uint64 offset, uint64 len);	
@@ -31,10 +35,9 @@ private:
 	static StringVal* key_curve(EVP_PKEY *key);
 	static unsigned int key_length(EVP_PKEY *key);
 
-	RecordVal* ParseCertificate(::X509* ssl_cert);
-	void ParseExtension(X509_EXTENSION* ex, RecordVal* r);
-	void ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r);
-	void ParseSAN(X509_EXTENSION* ex, RecordVal* r);
+	void ParseExtension(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
+	void ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
+	void ParseSAN(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
 
 	std::string cert_data;
 };
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 2787746e0c..b78f819e90 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-event x509_cert%(f: fa_file, cert: X509::Certificate%);
-event x509_extension%(f: fa_file, cert: X509::Certificate, ext: X509::Extension%);
-event x509_ext_basic_constraints%(f: fa_file, cert: X509::Certificate, ext: X509::BasicConstraints%);
-event x509_ext_subject_alternative_name%(f: fa_file, cert: X509::Certificate, ext: X509::SubjectAlternativeName%);
+event x509_cert%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
+event x509_extension%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::Extension%);
+event x509_ext_basic_constraints%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::BasicConstraints%);
+event x509_ext_subject_alternative_name%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, names: string_vec%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
new file mode 100644
index 0000000000..7af8883aef
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -0,0 +1,171 @@
+%%{
+#include "file_analysis/analyzer/x509/X509.h"
+#include "types.bif.h"
+
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/x509_vfy.h>
+
+// This is the indexed map of X509 certificate stores.
+static map<Val*, X509_STORE*> x509_stores;
+
+// ### NOTE: while d2i_X509 does not take a const u_char** pointer,
+// here we assume d2i_X509 does not write to <data>, so it is safe to
+// convert data to a non-const pointer.  Could some X509 guru verify
+// this?
+
+X509* d2i_X509_(X509** px, const u_char** in, int len)
+	{
+#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
+	  return d2i_X509(px, in, len);
+#else
+	  return d2i_X509(px, (u_char**)in, len);
+#endif
+	}
+
+%%}
+
+## Parses a certificate into an X509::Certificate structure
+##
+## cert: The x509 certificicate opaque
+##
+## Returns: A X509::Certificate structure
+##
+## .. bro:see:: x509_verify
+function x509_parse%(cert: opaque of x509%): X509::Certificate
+	%{
+	assert(cert);
+	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	
+	return file_analysis::X509::ParseCertificate(h);
+	%}
+
+## Verifies a certificate.
+##
+## cert_val: The X.509 certificate in DER format.
+##
+## cert_stack: Specifies a certificate chain that is being used to validate
+##             the given certificate against the root store given in *root_certs*
+##
+## root_certs: A list of root certificates to validate the certificate chain
+##
+## Returns: A record of type X509::Result containing the result code of the verify
+##          operation. In case of success also returns the full certificate chain.
+##
+## .. bro:see:: x509_parse
+function x509_verify%(cert_val: opaque of x509, cert_stack: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
+	%{
+	X509_STORE* ctx = 0;
+	int i = 0;
+
+	// If this certificate store was built previously, just reuse the old one.
+	if ( x509_stores.count(root_certs) > 0 )
+		ctx = x509_stores[root_certs];
+
+	if ( ! ctx ) // lookup to see if we have this one built already!
+		{
+		ctx = X509_STORE_new();
+		TableVal* root_certs2 = root_certs->AsTableVal();
+		ListVal* idxs = root_certs2->ConvertToPureList();
+
+		// Build the validation store
+		for ( i = 0; i < idxs->Length(); ++i )
+			{
+			Val* key = idxs->Index(i);
+			StringVal *sv = root_certs2->Lookup(key)->AsStringVal();
+			const uint8* data = sv->Bytes();
+			X509* x = d2i_X509_(NULL, &data, sv->Len());
+			if ( ! x )
+				{
+				builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+				return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+				}
+			X509_STORE_add_cert(ctx, x);
+			}
+		delete idxs;
+
+		// Save the newly constructed certificate store into the cacheing map.
+		x509_stores[root_certs] = ctx;
+		}
+
+	assert(cert_val);
+	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) cert_val;
+
+	X509* cert = cert_handle->GetCertificate();
+	if ( ! cert )
+		{
+		builtin_error(fmt("No certificate in opaque"));
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
+	if ( ! untrusted_certs )
+		{
+		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
+		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+		}
+
+	VectorVal *cert_stack_vec = cert_stack->AsVectorVal();
+	for ( i = 0; i < (int) cert_stack_vec->Size(); ++i )
+		{
+		Val *sv = cert_stack_vec->Lookup(i);
+		// Fixme: check type
+		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
+		if ( ! x )
+			{
+			sk_X509_pop(untrusted_certs);
+			builtin_error(fmt("No certificate in opaque in stack"));
+			return new Val(-1, TYPE_COUNT);
+			}
+		sk_X509_push(untrusted_certs, x);
+		}
+
+	X509_STORE_CTX csc;
+	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
+
+	int result = X509_verify_cert(&csc);
+
+	VectorVal* chainVector = 0;
+		if ( result == 1 ) // we have a valid chain. try to get it...
+		{
+		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(&csc); // get1 = deep copy
+
+		if (!chain) 
+			{
+			reporter->Error("Encountered valid chain that could not be resolved");
+			goto x509_verify_chainerror;
+			}
+		
+		int num_certs = sk_X509_num(chain);
+		chainVector = new VectorVal(new VectorType(base_type(TYPE_OPAQUE)));
+
+		for ( int i = 0; i < num_certs; i++ ) 
+			{
+			X509* currcert = sk_X509_value(chain, i);
+			if ( !currcert )
+				{
+				reporter->InternalError("OpenSSL returned null certificate");
+				goto x509_verify_chainerror;
+				}
+
+			chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			}
+		}
+
+x509_verify_chainerror:
+
+	X509_STORE_CTX_cleanup(&csc);
+
+	if ( untrusted_certs )
+		sk_X509_pop(untrusted_certs);
+
+	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
+
+	rrecord->Assign(0, new Val((uint64) csc.error, TYPE_COUNT));
+	rrecord->Assign(1, new StringVal(X509_verify_cert_error_string(csc.error)));
+	if ( chainVector ) 
+		rrecord->Assign(2, chainVector);
+
+	return rrecord;
+	%}
diff --git a/src/file_analysis/analyzer/x509/types.bif b/src/file_analysis/analyzer/x509/types.bif
index 49a915c7fc..6b3049883e 100644
--- a/src/file_analysis/analyzer/x509/types.bif
+++ b/src/file_analysis/analyzer/x509/types.bif
@@ -1,5 +1,5 @@
 type X509::Certificate: record;
 type X509::Extension: record;
 type X509::BasicConstraints: record;
-type X509::SubjectAlternativeName: record;
+type X509::Result: record;
 

From 110d9fbd6a79020a77b6f84b7f3289835e023c33 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 3 Mar 2014 17:07:50 -0800
Subject: [PATCH 072/220] X509 file analyzer nearly done. Verification and most
 other policy scripts work fine now.

Todo:
 * update all baselines
 * fix the circular reference to the fa_file structure I introduced :)
   Sadly this does not seem to be entirely straightforward.

addresses BIT-953, BIT-760
---
 scripts/base/files/x509/README                |  1 +
 scripts/base/files/x509/main.bro              | 77 +++++++++++----
 scripts/base/init-bare.bro                    |  4 +-
 scripts/base/init-default.bro                 |  4 +-
 scripts/base/protocols/ssl/files.bro          | 76 +++++++++++++--
 scripts/base/protocols/ssl/main.bro           | 32 +------
 .../policy/frameworks/intel/seen/__load__.bro |  3 +-
 scripts/policy/frameworks/intel/seen/ssl.bro  | 21 -----
 .../frameworks/intel/seen/where-locations.bro |  3 +-
 scripts/policy/frameworks/intel/seen/x509.bro | 16 ++++
 scripts/policy/protocols/ssl/cert-hash.bro    | 22 -----
 .../policy/protocols/ssl/expiring-certs.bro   | 22 ++---
 .../protocols/ssl/extract-certs-pem.bro       | 31 ++----
 scripts/policy/protocols/ssl/known-certs.bro  | 20 ++--
 scripts/policy/protocols/ssl/notary.bro       |  9 +-
 .../policy/protocols/ssl/validate-certs.bro   | 29 +++---
 src/file_analysis/analyzer/x509/X509.cc       | 22 ++---
 src/file_analysis/analyzer/x509/X509.h        |  6 +-
 src/file_analysis/analyzer/x509/events.bif    |  8 +-
 src/file_analysis/analyzer/x509/functions.bif | 94 +++++++++++++++----
 20 files changed, 303 insertions(+), 197 deletions(-)
 create mode 100644 scripts/base/files/x509/README
 create mode 100644 scripts/policy/frameworks/intel/seen/x509.bro
 delete mode 100644 scripts/policy/protocols/ssl/cert-hash.bro

diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
new file mode 100644
index 0000000000..8b50366cd2
--- /dev/null
+++ b/scripts/base/files/x509/README
@@ -0,0 +1 @@
+Support for X509 certificates with the file analysis framework.
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 7f7ff3064a..2238cf0c8b 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -1,32 +1,77 @@
-
 @load base/frameworks/files
+@load base/files/hash
 
 module X509;
 
 export {
 	redef enum Log::ID += { LOG };
 
-	redef record Files::Info += {
+	type Info: record {
+		## current timestamp
+		ts: time &log &default=network_time();
+
+		## file id of this certificate
+		id: string &log;
+    
+		## Basic information about the certificate
+		certificate: X509::Certificate &log;
+
+		## The opaque wrapping the certificate. Mainly used
+		## for the verify operations
+		handle: opaque of x509;
+
+		## All extensions that were encountered in the certificate
+		extensions: vector of X509::Extension &default=vector();
+
+		## Subject alternative name extension of the certificate
+		san: string_vec &optional &log;
+
+		## Basic constraints extension of the certificate
+		basic_constraints: X509::BasicConstraints &optional &log;
 	};
+
+	## Event for accessing logged records.
+	global log_x509: event(rec: Info);
 }
 
-event x509_cert(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+event bro_init() &priority=5
 	{
-	print cert;
+	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]);
 	}
 
-event x509_extension(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::Extension)
-{
-print ext;
-}
+redef record fa_file += {
+	## Information about X509 certificates. This is used to keep
+	## certificate information until all events have been received.
+	x509: X509::Info &optional;
+};
 
-event x509_ext_basic_constraints(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::BasicConstraints)
-{
-print ext;
-}
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
+	{
+	f$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
+	}
 
-event x509_ext_subject_alternative_name(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: string_vec) 
-{
-print ext;
-}
+event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
+	{
+	if ( f?$x509 )
+		f$x509$extensions[|f$x509$extensions|] = ext;
+	}
 
+event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
+	{
+	if ( f?$x509 )
+		f$x509$basic_constraints = ext;
+	}
+
+event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5
+	{
+	if ( f?$x509 )
+		f$x509$san = names;
+	}
+
+event file_state_remove(f: fa_file)
+	{
+	if ( f?$x509 )
+		{
+		Log::write(LOG, f$x509);
+		}
+	}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 12b056a541..f59355895d 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2765,7 +2765,7 @@ export {
 		curve: string &optional; ##< curve, if EC-certificate
 		#ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
 		#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
-	};
+	} &log;
 
 	type X509::Extension: record {
 		name: string; ##< long name of extension. oid if name not known
@@ -2778,7 +2778,7 @@ export {
 	type X509::BasicConstraints: record {
 		ca: bool; ##< CA flag set?
 		path_len: count &optional;
-	};
+	} &log;
 	
 	## Result of an X509 certificate chain verification
 	type X509::Result: record {
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index b4dca043c0..91f1157811 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -38,6 +38,9 @@
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
 
+# needed for the SSL protocol
+@load base/files/x509
+
 @load base/protocols/conn
 @load base/protocols/dhcp
 @load base/protocols/dnp3
@@ -57,7 +60,6 @@
 @load base/files/hash
 @load base/files/extract
 @load base/files/unified2
-@load base/files/x509
 
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 7582a428ae..a8e755e953 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -6,9 +6,33 @@ module SSL;
 
 export {
 	redef record Info += {
-		## An ordered vector of file unique IDs which contains
-		## all the certificates sent over the connection
-		fuids: vector of string &log &default=string_vec();
+		## Chain of certificates offered by the server to validate its
+		## complete signing chain.
+		cert_chain: vector of fa_file &optional;
+
+		## An ordered vector of all certicate file unique IDs for the
+		## certificates offered by the server.
+		cert_chain_fuids: vector of string &optional &log;
+
+		## Chain of certificates offered by the client to validate its
+		## complete signing chain.
+		client_cert_chain: vector of fa_file &optional;
+		
+		## An ordered vector of all certicate file unique IDs for the
+		## certificates offered by the client.
+		client_cert_chain_fuids: vector of string &optional &log;
+		
+		## Subject of the X.509 certificate offered by the server.
+		subject:          string           &log &optional;
+		## Subject of the signer of the X.509 certificate offered by the
+		## server.
+		issuer:   string           &log &optional;
+		
+		## Subject of the X.509 certificate offered by the client.
+		client_subject:          string           &log &optional;
+		## Subject of the signer of the X.509 certificate offered by the
+		## client.
+		client_issuer:   string           &log &optional;
 	};
 
 	## Default file handle provider for SSL.
@@ -20,7 +44,7 @@ export {
 
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	return cat(Analyzer::ANALYZER_SMTP, c$start_time);
+	return cat(Analyzer::ANALYZER_SSL, c$start_time);
 	}
 
 function describe_file(f: fa_file): string
@@ -29,6 +53,8 @@ function describe_file(f: fa_file): string
 	if ( f$source != "SSL" )
 		return "";
 
+	# Fixme!
+
 	return "";
 	}
 
@@ -41,8 +67,46 @@ event bro_init() &priority=5
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( c?$ssl )
-		c$ssl$fuids[|c$ssl$fuids|] = f$id;
+	if ( ! c?$ssl )
+		return;
+
+	if ( ! c$ssl?$cert_chain )
+		{
+		c$ssl$cert_chain = vector();
+		c$ssl$client_cert_chain = vector();
+		c$ssl$cert_chain_fuids = string_vec();
+		c$ssl$client_cert_chain_fuids = string_vec();
+		}	
+
+	if ( is_orig )
+		{
+		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f;
+		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
+		}
+	else
+		{
+		c$ssl$cert_chain[|c$ssl$cert_chain|] = f;
+		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
+		}
 
 	Files::add_analyzer(f, Files::ANALYZER_X509);
+	# always calculate hashes for certificates
+	Files::add_analyzer(f, Files::ANALYZER_MD5);
+	Files::add_analyzer(f, Files::ANALYZER_SHA1);
+	}
+
+event ssl_established(c: connection) &priority=6
+	{
+	# update subject and issuer information
+	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
+		{
+		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
+		c$ssl$issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
+		}
+
+	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 )
+		{
+		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
+		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
+		}
 	}
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index be62cf419d..e803077d19 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -24,36 +24,9 @@ export {
 		server_name:      string           &log &optional;
 		## Session ID offered by the client for session resumption.
 		session_id:       string           &log &optional;
-		## Subject of the X.509 certificate offered by the server.
-		subject:          string           &log &optional;
-		## Subject of the signer of the X.509 certificate offered by the
-		## server.
-		issuer_subject:   string           &log &optional;
-		## NotValidBefore field value from the server certificate.
-		not_valid_before: time             &log &optional;
-		## NotValidAfter field value from the server certificate.
-		not_valid_after:  time             &log &optional;
 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
 
-		## Subject of the X.509 certificate offered by the client.
-		client_subject:          string           &log &optional;
-		## Subject of the signer of the X.509 certificate offered by the
-		## client.
-		client_issuer_subject:   string           &log &optional;
-
-		## Full binary server certificate stored in DER format.
-		cert:             string           &optional;
-		## Chain of certificates offered by the server to validate its
-		## complete signing chain.
-		cert_chain:       vector of string &optional;
-
-		## Full binary client certificate stored in DER format.
-		client_cert:             string           &optional;
-		## Chain of certificates offered by the client to validate its
-		## complete signing chain.
-		client_cert_chain:       vector of string &optional;
-
 		## The analyzer ID used for the analyzer instance attached
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
@@ -108,8 +81,7 @@ event bro_init() &priority=5
 function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
-		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id, $cert_chain=vector(),
-		         $client_cert_chain=vector()];
+		c$ssl = [$ts=network_time(), $uid=c$uid, $id=c$id];
 	}
 
 function delay_log(info: Info, token: string)
@@ -185,7 +157,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 	c$ssl$last_alert = alert_descriptions[desc];
 	}
 
-event ssl_established(c: connection) &priority=5
+event ssl_established(c: connection) &priority=7
 	{
 	set_session(c);
 	}
diff --git a/scripts/policy/frameworks/intel/seen/__load__.bro b/scripts/policy/frameworks/intel/seen/__load__.bro
index 01034d95e2..807bf0fcb2 100644
--- a/scripts/policy/frameworks/intel/seen/__load__.bro
+++ b/scripts/policy/frameworks/intel/seen/__load__.bro
@@ -6,4 +6,5 @@
 @load ./http-url
 @load ./ssl
 @load ./smtp
-@load ./smtp-url-extraction
\ No newline at end of file
+@load ./smtp-url-extraction
+@load ./x509
diff --git a/scripts/policy/frameworks/intel/seen/ssl.bro b/scripts/policy/frameworks/intel/seen/ssl.bro
index e404c39e5b..c41dbbdbe1 100644
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@@ -2,27 +2,6 @@
 @load base/protocols/ssl
 @load ./where-locations
 
-event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string)
-	{
-	if ( chain_idx == 0 )
-		{
-		if ( /emailAddress=/ in cert$subject )
-			{
-			local email = sub(cert$subject, /^.*emailAddress=/, "");
-			email = sub(email, /,.*$/, "");
-			Intel::seen([$indicator=email,
-			             $indicator_type=Intel::EMAIL,
-			             $conn=c,
-			             $where=(is_orig ? SSL::IN_CLIENT_CERT : SSL::IN_SERVER_CERT)]);
-			}
-
-		Intel::seen([$indicator=sha1_hash(der_cert),
-		             $indicator_type=Intel::CERT_HASH,
-		             $conn=c,
-		             $where=(is_orig ? SSL::IN_CLIENT_CERT : SSL::IN_SERVER_CERT)]);
-		}
-	}
-
 event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
 	{
 	if ( is_orig && SSL::extensions[code] == "server_name" && 
diff --git a/scripts/policy/frameworks/intel/seen/where-locations.bro b/scripts/policy/frameworks/intel/seen/where-locations.bro
index 0387814ea7..b9b4325bc1 100644
--- a/scripts/policy/frameworks/intel/seen/where-locations.bro
+++ b/scripts/policy/frameworks/intel/seen/where-locations.bro
@@ -21,9 +21,8 @@ export {
 		SMTP::IN_REPLY_TO,
 		SMTP::IN_X_ORIGINATING_IP_HEADER,
 		SMTP::IN_MESSAGE,
-		SSL::IN_SERVER_CERT,
-		SSL::IN_CLIENT_CERT,
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
+		X509::IN_CERT,
 	};
 }
diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro
new file mode 100644
index 0000000000..de6c0ab495
--- /dev/null
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@@ -0,0 +1,16 @@
+@load base/frameworks/intel
+@load base/files/x509
+@load ./where-locations
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+	{
+	if ( /emailAddress=/ in cert$subject )
+		{
+		local email = sub(cert$subject, /^.*emailAddress=/, "");
+		email = sub(email, /,.*$/, "");
+		Intel::seen([$indicator=email,
+								 $indicator_type=Intel::EMAIL,
+								 $f=f,
+								 $where=X509::IN_CERT]);
+		}
+	}
diff --git a/scripts/policy/protocols/ssl/cert-hash.bro b/scripts/policy/protocols/ssl/cert-hash.bro
deleted file mode 100644
index 32a165a946..0000000000
--- a/scripts/policy/protocols/ssl/cert-hash.bro
+++ /dev/null
@@ -1,22 +0,0 @@
-##! Calculate MD5 sums for server DER formatted certificates.
-
-@load base/protocols/ssl
-
-module SSL;
-
-export {
-	redef record Info += {
-		## MD5 sum of the raw server certificate.
-		cert_hash: string &log &optional;
-	};
-}
-
-event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=4
-	{
-	# We aren't tracking client certificates yet and we are also only tracking
-	# the primary cert.  Watch that this came from an SSL analyzed session too.
-	if ( is_orig || chain_idx != 0 || ! c?$ssl ) 
-		return;
-
-	c$ssl$cert_hash = md5_hash(der_cert);
-	}
\ No newline at end of file
diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index be6526877b..fc48ad9f2b 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -3,10 +3,7 @@
 ##! certificate.
 
 @load base/protocols/ssl
-@load base/frameworks/notice
-@load base/utils/directions-and-hosts
-
-@load protocols/ssl/cert-hash
+@load base/files/x509
 
 module SSL;
 
@@ -35,30 +32,31 @@ export {
 	const notify_when_cert_expiring_in = 30days &redef;
 }
 
-event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+event ssl_established(c: connection) &priority=3
 	{
-	# If this isn't the host cert or we aren't interested in the server, just return.
-	if ( is_orig || 
-		 chain_idx != 0 ||
-		 ! c$ssl?$cert_hash || 
+	# If there are no certificates or we are not interested in the server, just return.
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
+
+	local hash = c$ssl$cert_chain[0]$info$md5;
+	local cert = c$ssl$cert_chain[0]$x509$certificate;
 	
 	if ( cert$not_valid_before > network_time() )
 		NOTICE([$note=Certificate_Not_Valid_Yet,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
 	
 	else if ( cert$not_valid_after < network_time() )
 		NOTICE([$note=Certificate_Expired,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
 	
 	else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
 	}
diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.bro
index 32293ebef3..247d58fea2 100644
--- a/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -10,8 +10,7 @@
 ##!
 
 @load base/protocols/ssl
-@load base/utils/directions-and-hosts
-@load protocols/ssl/cert-hash
+@load base/files/x509
 
 module SSL;
 
@@ -23,41 +22,31 @@ export {
 }
 
 # This is an internally maintained variable to prevent relogging of
-# certificates that have already been seen.  It is indexed on an md5 sum of
+# certificates that have already been seen.  It is indexed on an sha1 sum of
 # the certificate.
 global extracted_certs: set[string] = set() &read_expire=1hr &redef;
 
 event ssl_established(c: connection) &priority=5
 	{
-	if ( ! c$ssl?$cert )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
 		return;
 
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
 		return;
 
-	if ( c$ssl$cert_hash in extracted_certs )
+	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	if ( hash in extracted_certs )
 		# If we already extracted this cert, don't do it again.
 		return;
 
-	add extracted_certs[c$ssl$cert_hash];
+	add extracted_certs[hash];
 	local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
 	local outfile = open_for_append(filename);
+	enable_raw_output(outfile);
 
-	print outfile, "-----BEGIN CERTIFICATE-----";
+	print outfile, x509_get_certificate_string(cert, T);
 
-	# Encode to base64 and format to fit 50 lines. Otherwise openssl won't like it later.
-	local lines = split_all(encode_base64(c$ssl$cert), /.{50}/);
-	local i = 1;
-	for ( line in lines )
-		{
-		if ( |lines[i]| > 0 )
-			{
-			print outfile, lines[i];
-			}
-		i+=1;
-		}
-
-	print outfile, "-----END CERTIFICATE-----";
-	print outfile, "";
 	close(outfile);
 	}
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index 478074f55a..e1bf59e72d 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -3,7 +3,7 @@
 
 @load base/utils/directions-and-hosts
 @load base/protocols/ssl
-@load protocols/ssl/cert-hash
+@load base/files/x509
 
 module Known;
 
@@ -31,9 +31,9 @@ export {
 	const cert_tracking = LOCAL_HOSTS &redef;
 	
 	## The set of all known certificates to store for preventing duplicate 
-	## logging.  It can also be used from other scripts to 
+	## logging. It can also be used from other scripts to 
 	## inspect if a certificate has been seen in use. The string value 
-	## in the set is for storing the DER formatted certificate's MD5 hash.
+	## in the set is for storing the DER formatted certificate' SHA1 hash.
 	global certs: set[addr, string] &create_expire=1day &synchronized &redef;
 	
 	## Event that can be handled to access the loggable record as it is sent
@@ -46,16 +46,18 @@ event bro_init() &priority=5
 	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs]);
 	}
 
-event x509_certificate(c: connection, is_orig: bool, cert: X509, chain_idx: count, chain_len: count, der_cert: string) &priority=3
+event ssl_established(c: connection) &priority=3
 	{
-	# Make sure this is the server cert and we have a hash for it.
-	if ( is_orig || chain_idx != 0 || ! c$ssl?$cert_hash ) 
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
 		return;
-	
+
+	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local cert = c$ssl$cert_chain[0]$x509$certificate;
+
 	local host = c$id$resp_h;
-	if ( [host, c$ssl$cert_hash] !in certs && addr_matches_host(host, cert_tracking) )
+	if ( [host, hash] !in certs && addr_matches_host(host, cert_tracking) )
 		{
-		add certs[host, c$ssl$cert_hash];
+		add certs[host, hash];
 		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
 		                              $port_num=c$id$resp_p, $subject=cert$subject,
 		                              $issuer_subject=cert$issuer,
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 29cd655860..424959df2f 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -16,7 +16,6 @@ export {
 }
 
 redef record SSL::Info += {
-	sha1:   string &log &optional;
 	notary: Response &log &optional;
 	};
 
@@ -38,14 +37,12 @@ function clear_waitlist(digest: string)
 		}
 	}
 
-event x509_certificate(c: connection, is_orig: bool, cert: X509,
-                       chain_idx: count, chain_len: count, der_cert: string)
+event ssl_established(c: connection) &priority=3
 	{
-	if ( is_orig || chain_idx != 0 || ! c?$ssl )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
 		return;
 
-	local digest = sha1_hash(der_cert);
-	c$ssl$sha1 = digest;
+	local digest = c$ssl$cert_chain[0]$info$sha1;
 
 	if ( digest in notary_cache )
 		{
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 886c28b6ac..de22e2d30d 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -2,7 +2,6 @@
 
 @load base/frameworks/notice
 @load base/protocols/ssl
-@load protocols/ssl/cert-hash
 
 module SSL;
 
@@ -19,9 +18,9 @@ export {
 		validation_status: string &log &optional;
 	};
 	
-	## MD5 hash values for recently validated certs along with the
+	## MD5 hash values for recently validated chains along with the
 	## validation status message are kept in this table to avoid constant
-	## validation every time the same certificate is seen.
+	## validation every time the same certificate chain is seen.
 	global recently_validated_certs: table[string] of string = table() 
 		&read_expire=5mins &synchronized &redef;
 }
@@ -29,18 +28,26 @@ export {
 event ssl_established(c: connection) &priority=3
 	{
 	# If there aren't any certs we can't very well do certificate validation.
-	if ( ! c$ssl?$cert || ! c$ssl?$cert_chain )
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
 		return;
-	
-	if ( c$ssl?$cert_hash && c$ssl$cert_hash in recently_validated_certs )
+
+	local chain_id = join_string_vec(c$ssl$cert_chain_fuids, ".");
+
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
 		{
-		c$ssl$validation_status = recently_validated_certs[c$ssl$cert_hash];
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		}
+
+	if ( chain_id in recently_validated_certs )
+		{
+		c$ssl$validation_status = recently_validated_certs[chain_id];
 		}
 	else
 		{
-		local result = x509_verify(c$ssl$cert, c$ssl$cert_chain, root_certs);
-		c$ssl$validation_status = x509_err2str(result);
-		recently_validated_certs[c$ssl$cert_hash] = c$ssl$validation_status;
+		local result = x509_verify(chain, root_certs);
+		c$ssl$validation_status = result$result_string;
+		recently_validated_certs[chain_id] = result$result_string;
 		}
 		
 	if ( c$ssl$validation_status != "ok" )
@@ -48,7 +55,7 @@ event ssl_established(c: connection) &priority=3
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
 		        $sub=c$ssl$subject, $conn=c,
-		        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status,c$ssl$cert_hash)]);
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$validation_status)]);
 		}
 	}
 
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index a254188585..96e0964eff 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -59,7 +59,7 @@ bool file_analysis::X509::EndOfFile()
 	vl->append(cert_val->Ref());
 	vl->append(cert_record->Ref()); // we Ref it here, because we want to keep a copy around for now...
 
-	mgr.QueueEvent(x509_cert, vl);
+	mgr.QueueEvent(x509_certificate, vl);
 
 	// after parsing the certificate - parse the extensions...
 
@@ -70,7 +70,7 @@ bool file_analysis::X509::EndOfFile()
 		if ( !ex )
 			continue;
 
-		ParseExtension(ex, cert_record, cert_val);
+		ParseExtension(ex);
 		}
 	
 	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -157,7 +157,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	return pX509Cert;
 	}
 
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val) 
+void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) 
 	{
 	char name[256];
 	char oid[256];
@@ -203,20 +203,18 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex, RecordVal* r, X509V
 	// but I am not sure if there is a better way to do it...
 	val_list* vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(cert_val->Ref());
-	vl->append(r->Ref());
 	vl->append(pX509Ext);
 
 	mgr.QueueEvent(x509_extension, vl);
 
 	// look if we have a specialized handler for this event...
 	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints ) 
-		ParseBasicConstraints(ex, r, cert_val);
+		ParseBasicConstraints(ex);
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex, r, cert_val);
+		ParseSAN(ex);
 	}
 
-void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val) 
+void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
 	
@@ -234,8 +232,6 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r
 		}
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(cert_val->Ref());
-		vl->append(r->Ref());
 		vl->append(pBasicConstraint);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
@@ -243,7 +239,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r
 		}
 	}
 
-void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r, X509Val* cert_val) 
+void file_analysis::X509::ParseSAN(X509_EXTENSION* ext) 
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
 
@@ -284,11 +280,9 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext, RecordVal* r, X509Val* c
 
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(cert_val->Ref());
-		vl->append(r->Ref());
 		vl->append(names);
 
-		mgr.QueueEvent(x509_ext_basic_constraints, vl);
+		mgr.QueueEvent(x509_ext_subject_alternative_name, vl);
 	}
 
 StringVal* file_analysis::X509::key_curve(EVP_PKEY *key)
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index b535ebe256..6008383468 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -35,9 +35,9 @@ private:
 	static StringVal* key_curve(EVP_PKEY *key);
 	static unsigned int key_length(EVP_PKEY *key);
 
-	void ParseExtension(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
-	void ParseBasicConstraints(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
-	void ParseSAN(X509_EXTENSION* ex, RecordVal* r, X509Val* cert_val);
+	void ParseExtension(X509_EXTENSION* ex);
+	void ParseBasicConstraints(X509_EXTENSION* ex);
+	void ParseSAN(X509_EXTENSION* ex);
 
 	std::string cert_data;
 };
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index b78f819e90..2cfc5882a4 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-event x509_cert%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
-event x509_extension%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::Extension%);
-event x509_ext_basic_constraints%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, ext: X509::BasicConstraints%);
-event x509_ext_subject_alternative_name%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate, names: string_vec%);
+event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
+event x509_extension%(f: fa_file, ext: X509::Extension%);
+event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
+event x509_ext_subject_alternative_name%(f: fa_file, names: string_vec%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 7af8883aef..36c261d216 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -23,11 +23,22 @@ X509* d2i_X509_(X509** px, const u_char** in, int len)
 #endif
 	}
 
+// construct an error record
+RecordVal* x509_error_record(uint64_t num, const char* reason)
+	{
+	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
+
+	rrecord->Assign(0, new Val(num, TYPE_COUNT));
+	rrecord->Assign(1, new StringVal(reason));
+
+	return rrecord;
+	}
+
 %%}
 
 ## Parses a certificate into an X509::Certificate structure
 ##
-## cert: The x509 certificicate opaque
+## cert: The X509 certificicate opaque handle
 ##
 ## Returns: A X509::Certificate structure
 ##
@@ -40,12 +51,50 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
 	return file_analysis::X509::ParseCertificate(h);
 	%}
 
+## Returns the string form of a certificate
+##
+## cert: The X509 certificate opaque handle
+##
+## pem: A boolean that specifies if the certificate is returned
+##      in pem-form (true), or as the raw ASN1 encoded binary
+##      (false).
+##
+## Returns: X509 certificate as a string
+
+function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string
+	%{
+	assert(cert);
+	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	
+	if ( pem )
+		{
+		PEM_write_bio_X509(bio, h->GetCertificate());
+		}
+	else
+		{
+		i2d_X509_bio(bio, h->GetCertificate());
+		}
+	
+	BIO_flush(bio);
+	int length = BIO_pending(bio);
+	// use OPENSS_malloc here. Otherwhise, interesting problems will happen
+	char *buffer = (char*) OPENSSL_malloc(length);
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+	OPENSSL_free(buffer);
+	BIO_free_all(bio);
+			
+	return ext_val;
+	%}
+
+
 ## Verifies a certificate.
 ##
-## cert_val: The X.509 certificate in DER format.
-##
-## cert_stack: Specifies a certificate chain that is being used to validate
-##             the given certificate against the root store given in *root_certs*
+## certs: Specifies a certificate chain that is being used to validate
+##        the given certificate against the root store given in *root_certs*.
+##        The host certificate has to be at index 0.
 ##
 ## root_certs: A list of root certificates to validate the certificate chain
 ##
@@ -53,10 +102,27 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
 ##          operation. In case of success also returns the full certificate chain.
 ##
 ## .. bro:see:: x509_parse
-function x509_verify%(cert_val: opaque of x509, cert_stack: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
+function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
 	%{
 	X509_STORE* ctx = 0;
 	int i = 0;
+	
+	VectorVal *certs_vec = certs->AsVectorVal();
+	if ( certs_vec->Size() < 1 )
+		{
+		reporter->Error("No certificates given in vector");
+		return x509_error_record(-1, "no certificates");
+		}
+
+	// host certificate
+	unsigned int index = 0; // to prevent overloading to 0pointer
+	Val *sv = certs_vec->Lookup(index);
+	if ( !sv )
+		{
+		builtin_error("undefined value in certificate vector");
+		return x509_error_record(-1, "undefined value in certificate vector");
+		}
+	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) sv;	
 
 	// If this certificate store was built previously, just reuse the old one.
 	if ( x509_stores.count(root_certs) > 0 )
@@ -78,7 +144,7 @@ function x509_verify%(cert_val: opaque of x509, cert_stack: x509_opaque_vector,
 			if ( ! x )
 				{
 				builtin_error(fmt("Root CA error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-				return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+				return x509_error_record((uint64) ERR_get_error(), ERR_error_string(ERR_peek_last_error(),NULL));
 				}
 			X509_STORE_add_cert(ctx, x);
 			}
@@ -88,34 +154,30 @@ function x509_verify%(cert_val: opaque of x509, cert_stack: x509_opaque_vector,
 		x509_stores[root_certs] = ctx;
 		}
 
-	assert(cert_val);
-	file_analysis::X509Val* cert_handle = (file_analysis::X509Val*) cert_val;
-
 	X509* cert = cert_handle->GetCertificate();
 	if ( ! cert )
 		{
 		builtin_error(fmt("No certificate in opaque"));
-		return new Val(-1, TYPE_COUNT);
+		return x509_error_record(-1, "No certificate in opaque");
 		}
 
 	STACK_OF(X509)* untrusted_certs = sk_X509_new_null();
 	if ( ! untrusted_certs )
 		{
 		builtin_error(fmt("Untrusted certificate stack initialization error: %s", ERR_error_string(ERR_peek_last_error(),NULL)));
-		return new Val((uint64) ERR_get_error(), TYPE_COUNT);
+		return x509_error_record((uint64) ERR_get_error(), ERR_error_string(ERR_peek_last_error(),NULL));		
 		}
 
-	VectorVal *cert_stack_vec = cert_stack->AsVectorVal();
-	for ( i = 0; i < (int) cert_stack_vec->Size(); ++i )
+	for ( i = 1; i < (int) certs_vec->Size(); ++i ) // start at 1 - 0 is host cert
 		{
-		Val *sv = cert_stack_vec->Lookup(i);
+		Val *sv = certs_vec->Lookup(i);
 		// Fixme: check type
 		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
 		if ( ! x )
 			{
 			sk_X509_pop(untrusted_certs);
 			builtin_error(fmt("No certificate in opaque in stack"));
-			return new Val(-1, TYPE_COUNT);
+			return x509_error_record(-1, "No certificate in opaque");
 			}
 		sk_X509_push(untrusted_certs, x);
 		}

From 7eb6b5133e803411d7c97aee02456efb55ac5f18 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 4 Mar 2014 05:29:04 -0800
Subject: [PATCH 073/220] Fix circular reference problem and a few other small
 things.

SSL::Info now holds a reference to Files::Info instead of the
fa_files record.

Everything should work now, if everyone thinks that the interface is
ok I will update the test baselines in a bit.

addresses BIT-953, BIT-760
---
 scripts/base/files/x509/main.bro              | 26 +++++++++----------
 scripts/base/protocols/ssl/files.bro          |  9 ++++---
 .../policy/protocols/ssl/expiring-certs.bro   |  2 +-
 .../protocols/ssl/extract-certs-pem.bro       |  2 +-
 scripts/policy/protocols/ssl/known-certs.bro  |  2 +-
 scripts/policy/protocols/ssl/notary.bro       |  2 +-
 scripts/test-all-policy.bro                   |  2 +-
 src/file_analysis/analyzer/x509/X509.cc       |  2 +-
 8 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 2238cf0c8b..b20c6c715e 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -39,7 +39,7 @@ event bro_init() &priority=5
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]);
 	}
 
-redef record fa_file += {
+redef record Files::Info += {
 	## Information about X509 certificates. This is used to keep
 	## certificate information until all events have been received.
 	x509: X509::Info &optional;
@@ -47,31 +47,31 @@ redef record fa_file += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	f$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
+	f$info$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$extensions[|f$x509$extensions|] = ext;
+	if ( f$info?$x509 )
+		f$info$x509$extensions[|f$info$x509$extensions|] = ext;
 	}
 
 event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$basic_constraints = ext;
+	if ( f$info?$x509 )
+		f$info$x509$basic_constraints = ext;
 	}
 
 event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5
 	{
-	if ( f?$x509 )
-		f$x509$san = names;
+	if ( f$info?$x509 )
+		f$info$x509$san = names;
 	}
 
-event file_state_remove(f: fa_file)
+event file_state_remove(f: fa_file) &priority=5
 	{
-	if ( f?$x509 )
-		{
-		Log::write(LOG, f$x509);
-		}
+	if ( ! f$info?$x509 )
+		return;
+
+	Log::write(LOG, f$info$x509);
 	}
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index a8e755e953..a10a3f5f76 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -1,6 +1,7 @@
 @load ./main
 @load base/utils/conn-ids
 @load base/frameworks/files
+@load base/files/x509
 
 module SSL;
 
@@ -8,7 +9,7 @@ export {
 	redef record Info += {
 		## Chain of certificates offered by the server to validate its
 		## complete signing chain.
-		cert_chain: vector of fa_file &optional;
+		cert_chain: vector of Files::Info &optional;
 
 		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the server.
@@ -16,7 +17,7 @@ export {
 
 		## Chain of certificates offered by the client to validate its
 		## complete signing chain.
-		client_cert_chain: vector of fa_file &optional;
+		client_cert_chain: vector of Files::Info &optional;
 		
 		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the client.
@@ -80,12 +81,12 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 
 	if ( is_orig )
 		{
-		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f;
+		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
 		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
 		}
 	else
 		{
-		c$ssl$cert_chain[|c$ssl$cert_chain|] = f;
+		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
 		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
 		}
 
diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index fc48ad9f2b..a76dc542f4 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -39,7 +39,7 @@ event ssl_established(c: connection) &priority=3
 		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$md5;
+	local hash = c$ssl$cert_chain[0]$md5;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 	
 	if ( cert$not_valid_before > network_time() )
diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.bro
index 247d58fea2..1cfccb6556 100644
--- a/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -34,7 +34,7 @@ event ssl_established(c: connection) &priority=5
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$handle;
 
 	if ( hash in extracted_certs )
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index e1bf59e72d..e0e76eb526 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -51,7 +51,7 @@ event ssl_established(c: connection) &priority=3
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$info$sha1;
+	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 
 	local host = c$id$resp_h;
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 424959df2f..3646a4d43e 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -42,7 +42,7 @@ event ssl_established(c: connection) &priority=3
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 )
 		return;
 
-	local digest = c$ssl$cert_chain[0]$info$sha1;
+	local digest = c$ssl$cert_chain[0]$sha1;
 
 	if ( digest in notary_cache )
 		{
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 3a0bd17614..a29d2d3030 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -26,6 +26,7 @@
 @load frameworks/intel/seen/smtp.bro
 @load frameworks/intel/seen/ssl.bro
 @load frameworks/intel/seen/where-locations.bro
+@load frameworks/intel/seen/x509.bro
 @load frameworks/files/detect-MHR.bro
 @load frameworks/files/hash-all-files.bro
 @load frameworks/packet-filter/shunt.bro
@@ -82,7 +83,6 @@
 @load protocols/ssh/geo-data.bro
 @load protocols/ssh/interesting-hostnames.bro
 @load protocols/ssh/software.bro
-@load protocols/ssl/cert-hash.bro
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
 @load protocols/ssl/known-certs.bro
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 96e0964eff..4109781193 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -480,7 +480,7 @@ X509Val::~X509Val()
 
 bool X509Val::DoSerialize(SerialInfo* info) const
 	{
-	DO_SERIALIZE(SER_X509_VAL, X509Val);
+	DO_SERIALIZE(SER_X509_VAL, OpaqueVal);
 
 	unsigned char *buf = NULL;
 

From b22ca5d0a3caf0f4501739abe4d111eec5e29253 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 4 Mar 2014 11:12:06 -0600
Subject: [PATCH 074/220] Replace libmagic w/ Bro signatures for file MIME type
 identification.

Notable changes:

- libmagic is no longer used at all.  All MIME type detection is
  done through new Bro signatures, and there's no longer a means to get
  verbose file type descriptions (e.g. "PNG image data, 1435 x 170").
  The majority of the default file magic signatures are derived
  from the default magic database of libmagic ~5.17.

- File magic signatures consist of two new constructs in the
  signature rule parsing grammar: "file-magic" gives a regular
  expression to match against, and "file-mime" gives the MIME type
  string of content that matches the magic and an optional strength
  value for the match.

- Modified signature/rule syntax for identifiers: they can no longer
  start with a '-', which made for ambiguous syntax when doing negative
  strength values in "file-mime".  Also brought syntax for Bro script
  identifiers in line with reality (they can't start with numbers or
  include '-' at all).

- A new Built-In Function, "file_magic", can be used to get all
  file magic matches and their corresponding strength against a given
  chunk of data

- The second parameter of the "identify_data" Built-In Function
  can no longer be used to get verbose file type descriptions, though it
  can still be used to get the strongest matching file magic signature.

- The "file_transferred" event's "descr" parameter no longer
  contains verbose file type descriptions.

- The BROMAGIC environment variable no longer changes any behavior
  in Bro as magic databases are no longer used/installed.

- Reverted back to minimum requirement of CMake 2.6.3 from 2.8.0
  (it's back to being the same requirement as the Bro v2.2 release).
  The bump was to accomodate building libmagic as an external project,
  which is no longer needed.

Addresses BIT-1143.
---
 .gitmodules                                   |    3 -
 CMakeLists.txt                                |   39 +-
 doc/CMakeLists.txt                            |    3 -
 doc/frameworks/signatures.rst                 |   42 +-
 doc/install/install.rst                       |    2 +-
 magic                                         |    1 -
 scripts/base/frameworks/files/__load__.bro    |    1 +
 .../base/frameworks/files/magic/__load__.bro  |    2 +
 .../base/frameworks/files/magic/general.sig   |   11 +
 .../base/frameworks/files/magic/libmagic.sig  | 4199 +++++++++++++++++
 scripts/base/init-bare.bro                    |   17 +
 scripts/base/init-default.bro                 |    1 -
 src/CMakeLists.txt                            |    3 -
 src/NetVar.cc                                 |    4 +
 src/NetVar.h                                  |    2 +
 src/Rule.cc                                   |    2 +-
 src/Rule.h                                    |    2 +-
 src/RuleAction.cc                             |    5 +
 src/RuleAction.h                              |   25 +
 src/RuleMatcher.cc                            |  139 +
 src/RuleMatcher.h                             |   65 +
 src/analyzer/protocol/file/File.cc            |   14 +-
 src/analyzer/protocol/file/events.bif         |   11 +-
 src/bro.bif                                   |   66 +-
 src/file_analysis/File.cc                     |   20 +-
 src/file_analysis/File.h                      |    5 +-
 src/main.cc                                   |    8 -
 src/rule-parse.y                              |   22 +-
 src/rule-scan.l                               |   10 +-
 src/util-config.h.in                          |    1 -
 src/util.cc                                   |   49 -
 src/util.h                                    |    7 -
 testing/btest/Baseline/bifs.identify_data/out |    2 -
 .../canonified_loaded_scripts.log             |    5 +-
 .../canonified_loaded_scripts.log             |    5 +-
 .../btest-doc.sphinx.file_extraction#1        |    2 +-
 .../btest-doc.sphinx.mimestats#1              |    8 +-
 .../out                                       |    2 +-
 .../c.out                                     |    2 +-
 testing/btest/bifs/identify_data.bro          |    2 -
 40 files changed, 4636 insertions(+), 173 deletions(-)
 delete mode 160000 magic
 create mode 100644 scripts/base/frameworks/files/magic/__load__.bro
 create mode 100644 scripts/base/frameworks/files/magic/general.sig
 create mode 100644 scripts/base/frameworks/files/magic/libmagic.sig

diff --git a/.gitmodules b/.gitmodules
index 87826d2ef6..4998cc6b80 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -16,9 +16,6 @@
 [submodule "cmake"]
 	path = cmake
 	url = git://git.bro.org/cmake
-[submodule "magic"]
-	path = magic
-	url = git://git.bro.org/bromagic
 [submodule "src/3rdparty"]
 	path = src/3rdparty
 	url = git://git.bro.org/bro-3rdparty
diff --git a/CMakeLists.txt b/CMakeLists.txt
index f773381ae8..0dbbae133b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,5 @@
 project(Bro C CXX)
-cmake_minimum_required(VERSION 2.8.0 FATAL_ERROR)
+cmake_minimum_required(VERSION 2.6.3 FATAL_ERROR)
 include(cmake/CommonCMakeConfig.cmake)
 
 ########################################################################
@@ -16,17 +16,12 @@ endif ()
 get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
 
-set(BRO_MAGIC_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro/magic)
-set(BRO_MAGIC_SOURCE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/magic/database)
-
 configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev)
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh
      "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
-     "export BROMAGIC=\"${BRO_MAGIC_SOURCE_PATH}\"\n"
      "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n"
-     "setenv BROMAGIC \"${BRO_MAGIC_SOURCE_PATH}\"\n"
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
@@ -39,32 +34,6 @@ set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 ########################################################################
 ## Dependency Configuration
 
-include(ExternalProject)
-
-# LOG_* options to ExternalProject_Add appear in CMake 2.8.3.  If
-# available, using them hides external project configure/build output.
-if("${CMAKE_VERSION}" VERSION_GREATER 2.8.2)
-    set(EXTERNAL_PROJECT_LOG_OPTIONS
-        LOG_DOWNLOAD 1 LOG_UPDATE 1 LOG_CONFIGURE 1 LOG_BUILD 1 LOG_INSTALL 1)
-else()
-    set(EXTERNAL_PROJECT_LOG_OPTIONS)
-endif()
-
-set(LIBMAGIC_PREFIX ${CMAKE_CURRENT_BINARY_DIR}/libmagic-prefix)
-set(LIBMAGIC_INCLUDE_DIR ${LIBMAGIC_PREFIX}/include)
-set(LIBMAGIC_LIB_DIR ${LIBMAGIC_PREFIX}/lib)
-set(LIBMAGIC_LIBRARY ${LIBMAGIC_LIB_DIR}/libmagic.a)
-ExternalProject_Add(libmagic
-    PREFIX ${LIBMAGIC_PREFIX}
-    URL ${CMAKE_CURRENT_SOURCE_DIR}/src/3rdparty/file-5.17.tar.gz
-    CONFIGURE_COMMAND ./configure --enable-static --disable-shared
-                                  --prefix=${LIBMAGIC_PREFIX}
-                                  --includedir=${LIBMAGIC_INCLUDE_DIR}
-                                  --libdir=${LIBMAGIC_LIB_DIR}
-    BUILD_IN_SOURCE 1
-    ${EXTERNAL_PROJECT_LOG_OPTIONS}
-)
-
 include(FindRequiredPackage)
 
 # Check cache value first to avoid displaying "Found sed" messages everytime
@@ -103,7 +72,6 @@ include_directories(BEFORE
                     ${OpenSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
-                    ${LIBMAGIC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
 )
 
@@ -182,7 +150,6 @@ set(brodeps
     ${PCAP_LIBRARY}
     ${OpenSSL_LIBRARIES}
     ${BIND_LIBRARY}
-    ${LIBMAGIC_LIBRARY}
     ${ZLIB_LIBRARY}
     ${OPTLIBS}
 )
@@ -220,10 +187,6 @@ CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
 CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
 CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
-install(DIRECTORY ./magic/database/
-        DESTINATION ${BRO_MAGIC_INSTALL_PATH}
-)
-
 ########################################################################
 ## Packaging Setup
 
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 9498556edc..414cf56b0c 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -14,8 +14,6 @@ if (NOT ${retval} EQUAL 0)
     message(FATAL_ERROR "Problem setting BROPATH")
 endif ()
 
-set(BROMAGIC ${BRO_MAGIC_SOURCE_PATH})
-
 # Configure the Sphinx config file (expand variables CMake might know about).
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/conf.py.in
                ${CMAKE_CURRENT_BINARY_DIR}/conf.py
@@ -34,7 +32,6 @@ add_custom_target(sphinxdoc
             ${CMAKE_CURRENT_SOURCE_DIR}/ ${SPHINX_INPUT_DIR}
     # Use Bro/Broxygen to dynamically generate reST for all Bro scripts.
     COMMAND BROPATH=${BROPATH}
-            BROMAGIC=${BROMAGIC}
             ${CMAKE_BINARY_DIR}/src/bro
             -X ${CMAKE_CURRENT_BINARY_DIR}/broxygen.conf
             broxygen >/dev/null
diff --git a/doc/frameworks/signatures.rst b/doc/frameworks/signatures.rst
index 884dcb8a47..1443f76ba1 100644
--- a/doc/frameworks/signatures.rst
+++ b/doc/frameworks/signatures.rst
@@ -64,8 +64,8 @@ expect that signature file in the same directory as the Bro script. The
 default extension of the file name is ``.sig``, and Bro appends that
 automatically when necessary.
 
-Signature language
-==================
+Signature Language for Network Traffic
+======================================
 
 Let's look at the format of a signature more closely. Each individual
 signature has the format ``signature <id> { <attributes> }``. ``<id>``
@@ -286,6 +286,44 @@ two actions defined:
     connection (``"http"``, ``"ftp"``, etc.). This is used by Bro's
     dynamic protocol detection to activate analyzers on the fly.
 
+Signature Language for File Content
+===================================
+
+The signature framework can also be used to identify MIME types of files
+irrespective of the network protocol/connection over which the file is
+transferred.  A special type of signature can be written for this
+purpose and will be used automatically by the :doc:`Files Framework
+<file-analysis>` or by Bro scripts that use the :bro:see:`file_magic`
+built-in function.
+
+Conditions
+----------
+
+File signatures use a single type of content condition in the form of a
+regular expression:
+
+``file-magic /<regular expression>/``
+
+This is analogous to the ``payload`` content condition for the network
+traffic signature language described above.  The difference is that
+``payload`` signatures are applied to payloads of network connections,
+but ``file-magic`` can be applied to any arbitrary data, it does not
+have to be tied to a network protocol/connection.
+
+Actions
+-------
+
+Upon matching a chunk of data, file signatures use the following action
+to get information about that data's MIME type:
+
+``file-mime <string> [, <integer>]``
+
+The arguments include the MIME type string associated with the file
+magic regular expression and an optional "strength" as a signed integer.
+Since multiple file magic signatures may match against a given chunk of
+data, the strength value may be used to help choose a "winner".  Higher
+values are considered stronger.
+
 Things to keep in mind when writing signatures
 ==============================================
 
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 7400d640fe..058bb369eb 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -35,7 +35,7 @@ before you begin:
 
 To build Bro from source, the following additional dependencies are required:
 
-    * CMake 2.8.0 or greater            (http://www.cmake.org)
+    * CMake 2.6.3 or greater            (http://www.cmake.org)
     * Make
     * C/C++ compiler
     * SWIG                              (http://www.swig.org)
diff --git a/magic b/magic
deleted file mode 160000
index 99c6b89230..0000000000
--- a/magic
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 99c6b89230e2b9b0e781c42b0b9412d2ab4e14b2
diff --git a/scripts/base/frameworks/files/__load__.bro b/scripts/base/frameworks/files/__load__.bro
index 783797e17b..2177d81e25 100644
--- a/scripts/base/frameworks/files/__load__.bro
+++ b/scripts/base/frameworks/files/__load__.bro
@@ -1 +1,2 @@
 @load ./main.bro
+@load ./magic
diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro
new file mode 100644
index 0000000000..4a2de0926d
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/__load__.bro
@@ -0,0 +1,2 @@
+@load-sigs ./general
+@load-sigs ./libmagic
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
new file mode 100644
index 0000000000..595bcc2f62
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -0,0 +1,11 @@
+# General purpose file magic signatures.
+
+signature file-plaintext {
+    file-magic /([[:print:][:space:]]+)/
+    file-mime "text/plain", -20
+}
+
+signature file-binary {
+    file-magic /(.*)([^[:print:][:space:]]+)/
+    file-mime "binary", -10
+}
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
new file mode 100644
index 0000000000..25f5ba8c0f
--- /dev/null
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -0,0 +1,4199 @@
+# These signatures were semi-automatically generated from libmagic's
+# (~ v5.17) magic database rules that have an associated mime type.
+# After generating, they were all manually reviewed and occassionally
+# needed minor modifications by hand or just ommited depending on
+# the complexity of the original magic rules.
+#
+# The instrumented version of the `file` command used to generate these
+# is located at: https://github.com/jsiwek/file/tree/bro-signatures.
+
+# >2080  string,=Foglio di lavoro Microsoft Exce (len=31), ["%s"], swap_endian=0
+signature file-magic-auto0 {
+	file-mime "application/vnd.ms-excel", 340
+	file-magic /(.{2080})(Foglio di lavoro Microsoft Exce)/
+}
+
+# >2  string,=---BEGIN PGP PUBLIC KEY BLOCK- (len=30), ["PGP public key block"], swap_endian=0
+signature file-magic-auto1 {
+	file-mime "application/pgp-keys", 330
+	file-magic /(.{2})(\x2d\x2d\x2dBEGIN PGP PUBLIC KEY BLOCK\x2d)/
+}
+
+# >2080  string,=Microsoft Excel 5.0 Worksheet (len=29), ["%s"], swap_endian=0
+signature file-magic-auto2 {
+	file-mime "application/vnd.ms-excel", 320
+	file-magic /(.{2080})(Microsoft Excel 5\x2e0 Worksheet)/
+}
+
+# >11  string,=must be converted with BinHex (len=29), ["BinHex binary text"], swap_endian=0
+signature file-magic-auto3 {
+	file-mime "application/mac-binhex40", 320
+	file-magic /(.{11})(must be converted with BinHex)/
+}
+
+# >2080  string,=Microsoft Word 6.0 Document (len=27), ["%s"], swap_endian=0
+signature file-magic-auto4 {
+	file-mime "application/msword", 300
+	file-magic /(.{2080})(Microsoft Word 6\x2e0 Document)/
+}
+
+# >2080  string,=Documento Microsoft Word 6 (len=26), ["Spanish Microsoft Word 6 document data"], swap_endian=0
+signature file-magic-auto5 {
+	file-mime "application/msword", 290
+	file-magic /(.{2080})(Documento Microsoft Word 6)/
+}
+
+# >0  string,=-----BEGIN PGP SIGNATURE- (len=25), ["PGP signature"], swap_endian=0
+signature file-magic-auto6 {
+	file-mime "application/pgp-signature", 280
+	file-magic /(\x2d\x2d\x2d\x2d\x2dBEGIN PGP SIGNATURE\x2d)/
+}
+
+# >10  string,=# This is a shell archive (len=25), ["shell archive text"], swap_endian=0
+signature file-magic-auto7 {
+	file-mime "application/octet-stream", 280
+	file-magic /(.{10})(\x23 This is a shell archive)/
+}
+
+# >0  string,=-----BEGIN PGP MESSAGE- (len=23), ["PGP message"], swap_endian=0
+signature file-magic-auto8 {
+	file-mime "application/pgp", 260
+	file-magic /(\x2d\x2d\x2d\x2d\x2dBEGIN PGP MESSAGE\x2d)/
+}
+
+# >0  string,=<SCRIBUSUTF8NEW Version (len=23), ["Scribus Document"], swap_endian=0
+signature file-magic-auto9 {
+	file-mime "application/x-scribus", 260
+	file-magic /(\x3cSCRIBUSUTF8NEW Version)/
+}
+
+# >0  string,=<?php /* Smarty version (len=23), ["Smarty compiled template"], swap_endian=0
+# >>24  regex,=[0-9.]+ (len=7), [", version %s"], swap_endian=0
+signature file-magic-auto10 {
+	file-mime "text/x-php", 37
+	file-magic /(\x3c\x3fphp \x2f\x2a Smarty version)(.{1})([0-9.]+)/
+}
+
+# >0  string/w,=<map version="freeplane (len=23), ["Freeplane document"], swap_endian=0
+signature file-magic-auto11 {
+	file-mime "application/x-freeplane", 260
+	file-magic /(\x3cmap ?version\x3d\x22freeplane)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/nawk (len=22), ["new awk script text executable"], swap_endian=0
+signature file-magic-auto12 {
+	file-mime "text/x-nawk", 250
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fnawk)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/gawk (len=22), ["GNU awk script text executable"], swap_endian=0
+signature file-magic-auto13 {
+	file-mime "text/x-gawk", 250
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/bash (len=22), ["Bourne-Again shell script text executable"], swap_endian=0
+signature file-magic-auto14 {
+	file-mime "text/x-shellscript", 250
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fbash)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/tcsh (len=22), ["Tenex C shell script text executable"], swap_endian=0
+signature file-magic-auto15 {
+	file-mime "text/x-shellscript", 250
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcsh)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/zsh (len=21), ["Paul Falstad's zsh script text executable"], swap_endian=0
+signature file-magic-auto16 {
+	file-mime "text/x-shellscript", 240
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fzsh)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/ash (len=21), ["Neil Brown's ash script text executable"], swap_endian=0
+signature file-magic-auto17 {
+	file-mime "text/x-shellscript", 240
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fash)/
+}
+
+# >0  string/wt,=#! /usr/local/bin/ae (len=20), ["Neil Brown's ae script text executable"], swap_endian=0
+signature file-magic-auto18 {
+	file-mime "text/x-shellscript", 230
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fae)/
+}
+
+# >0  string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0
+signature file-magic-auto19 {
+	file-mime "application/x-svr4-package", 230
+	file-magic /(\x23 PaCkAgE DaTaStReAm)/
+}
+
+# >0  string,=Creative Voice File (len=19), ["Creative Labs voice data"], swap_endian=0
+signature file-magic-auto20 {
+	file-mime "audio/x-unknown", 220
+	file-magic /(Creative Voice File)/
+}
+
+# >0  string/t,=[KDE Desktop Entry] (len=19), ["KDE desktop entry"], swap_endian=0
+signature file-magic-auto21 {
+	file-mime "application/x-kdelnk", 220
+	file-magic /(\x5bKDE Desktop Entry\x5d)/
+}
+
+# >512  string,=R\000o\000o\000t\000 \000E\000n\000t\000r\000y (len=19), ["Microsoft Word Document"], swap_endian=0
+signature file-magic-auto22 {
+	file-mime "application/msword", 220
+	file-magic /(.{512})(R\x00o\x00o\x00t\x00 \x00E\x00n\x00t\x00r\x00y)/
+}
+
+# >0  string,=!<arch>\n__________E (len=19), ["MIPS archive"], swap_endian=0
+signature file-magic-auto23 {
+	file-mime "application/x-archive", 220
+	file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/
+}
+
+# >0  string/wt,=#! /usr/local/tcsh (len=18), ["Tenex C shell script text executable"], swap_endian=0
+signature file-magic-auto24 {
+	file-mime "text/x-shellscript", 210
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2ftcsh)/
+}
+
+# >0  string/wt,=#! /usr/local/bash (len=18), ["Bourne-Again shell script text executable"], swap_endian=0
+signature file-magic-auto25 {
+	file-mime "text/x-shellscript", 210
+	file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbash)/
+}
+
+# >0  string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0
+signature file-magic-auto26 {
+	file-mime "application/x-kdelnk", 200
+	file-magic /(\x23 KDE Config File)/
+}
+
+# >0  string,=RF64\377\377\377\377WAVEds64 (len=16), ["MBWF/RF64 audio"], swap_endian=0
+signature file-magic-auto27 {
+	file-mime "audio/x-wav", 190
+	file-magic /(RF64\xff\xff\xff\xffWAVEds64)/
+}
+
+# >0  string,=riff.\221\317\021\245\326(\333\004\301\000\000 (len=16), ["Sony Wave64 RIFF data"], swap_endian=0
+# >>24  string,=wave\363\254\323\021\214\321\000\300O\216\333\212 (len=16), [", WAVE 64 audio"], swap_endian=0
+signature file-magic-auto28 {
+	file-mime "audio/x-w64", 190
+	file-magic /(riff\x2e\x91\xcf\x11\xa5\xd6\x28\xdb\x04\xc1\x00\x00)(.{8})(wave\xf3\xac\xd3\x11\x8c\xd1\x00\xc0O\x8e\xdb\x8a)/
+}
+
+# >0  string/wt,=#! /usr/bin/nawk (len=16), ["new awk script text executable"], swap_endian=0
+signature file-magic-auto29 {
+	file-mime "text/x-nawk", 190
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/
+}
+
+# >0  string/wt,=#! /usr/bin/tcsh (len=16), ["Tenex C shell script text executable"], swap_endian=0
+signature file-magic-auto30 {
+	file-mime "text/x-shellscript", 190
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2ftcsh)/
+}
+
+# >0  string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0
+signature file-magic-auto31 {
+	file-mime "text/x-gawk", 190
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fgawk)/
+}
+
+# >369  string,=MICROSOFT PIFEX\000 (len=16), ["Windows Program Information File"], swap_endian=0
+signature file-magic-auto32 {
+	file-mime "application/x-dosexec", 190
+	file-magic /(.{369})(MICROSOFT PIFEX\x00)/
+}
+
+# >0  string/wt,=#! /usr/bin/bash (len=16), ["Bourne-Again shell script text executable"], swap_endian=0
+signature file-magic-auto33 {
+	file-mime "text/x-shellscript", 190
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fbash)/
+}
+
+# >0  string/w,=#VRML V1.0 ascii (len=16), ["VRML 1 file"], swap_endian=0
+signature file-magic-auto34 {
+	file-mime "model/vrml", 190
+	file-magic /(\x23VRML ?V1\x2e0 ?ascii)/
+}
+
+# >0  string,=<MakerScreenFont (len=16), ["FrameMaker Font file"], swap_endian=0
+signature file-magic-auto35 {
+	file-mime "application/x-mif", 190
+	file-magic /(\x3cMakerScreenFont)/
+}
+
+# >0  string,=Extended Module: (len=16), ["Fasttracker II module sound data"], swap_endian=0
+signature file-magic-auto36 {
+	file-mime "audio/x-mod", 190
+	file-magic /(Extended Module\x3a)/
+}
+
+# >0  string/t,=<?xml version " (len=15), ["XML"], swap_endian=0
+signature file-magic-auto37 {
+	file-mime "application/xml", 185
+	file-magic /(\x3c\x3fxml version \x22)/
+}
+
+# >0  string/t,=<?xml version=" (len=15), ["XML"], swap_endian=0
+signature file-magic-auto38 {
+	file-mime "application/xml", 185
+	file-magic /(\x3c\x3fxml version\x3d\x22)/
+}
+
+# >0  string,=<?xml version=' (len=15), ["XML"], swap_endian=0
+signature file-magic-auto39 {
+	file-mime "application/xml", 185
+	file-magic /(\x3c\x3fxml version\x3d\x27)/
+}
+
+# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
+# >>20  search/wc/1000,=<!DOCTYPE X3D (len=13), ["X3D (Extensible 3D) model xml text"], swap_endian=0
+signature file-magic-auto40 {
+	file-mime "model/x3d", 43
+	file-magic /(\x3c\x3fxml version\x3d\x22)(.{5})(.*)(\x3c\x21DOCTYPE ?X3D)/
+}
+
+# >0  string/t,=<?xml version=' (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/Wctb/4096,=<!doctype html (len=14), ["XHTML document text"], swap_endian=0
+signature file-magic-auto41 {
+	file-mime "text/html", 44
+	file-magic /(\x3c\x3fxml version\x3d\x27)([^\x00])(.{3})(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
+}
+
+# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/Wctb/4096,=<!doctype html (len=14), ["XHTML document text"], swap_endian=0
+signature file-magic-auto42 {
+	file-mime "text/html", 44
+	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
+}
+
+# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/4096,=<urlset (len=7), ["XML Sitemap document text"], swap_endian=0
+signature file-magic-auto43 {
+	file-mime "application/xml-sitemap", 37
+	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3curlset)/
+}
+
+# >0  string,=<?xml version=" (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/4096,=<svg (len=4), ["SVG Scalable Vector Graphics image"], swap_endian=0
+signature file-magic-auto44 {
+	file-mime "image/svg+xml", 38
+	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3csvg)/
+}
+
+# >0  string,=<?xml version=" (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/4096,=<gnc-v2 (len=7), ["GnuCash file"], swap_endian=0
+signature file-magic-auto45 {
+	file-mime "application/x-gnucash", 37
+	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3cgnc\x2dv2)/
+}
+
+# >0  string/t,=<?xml version=" (len=15), [""], swap_endian=0
+# >>15  string,>\000 (len=1), [""], swap_endian=0
+# >>>19  search/Wctb/4096,=<html (len=5), ["broken XHTML document text"], swap_endian=0
+signature file-magic-auto46 {
+	file-mime "text/html", 40
+	file-magic /(\x3c\x3fxml version\x3d\x22)([^\x00])(.{3})(.*)(\x3c[hH][tT][mM][lL])/
+}
+
+# >0  string/c,=BEGIN:VCALENDAR (len=15), ["vCalendar calendar file"], swap_endian=0
+signature file-magic-auto47 {
+	file-mime "text/calendar", 180
+	file-magic /(BEGIN\x3aVCALENDAR)/
+}
+
+# >4  string,=Standard Jet DB (len=15), ["Microsoft Access Database"], swap_endian=0
+signature file-magic-auto48 {
+	file-mime "application/x-msaccess", 180
+	file-magic /(.{4})(Standard Jet DB)/
+}
+
+# >4  string,=Standard ACE DB (len=15), ["Microsoft Access Database"], swap_endian=0
+signature file-magic-auto49 {
+	file-mime "application/x-msaccess", 180
+	file-magic /(.{4})(Standard ACE DB)/
+}
+
+# >0  string/w,=#VRML V2.0 utf8 (len=15), ["ISO/IEC 14772 VRML 97 file"], swap_endian=0
+signature file-magic-auto50 {
+	file-mime "model/vrml", 180
+	file-magic /(\x23VRML ?V2\x2e0 ?utf8)/
+}
+
+# >0  string/wt,=#! /usr/bin/awk (len=15), ["awk script text executable"], swap_endian=0
+signature file-magic-auto51 {
+	file-mime "text/x-awk", 180
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/
+}
+
+# >0  string/wt,=#! /usr/bin/zsh (len=15), ["Paul Falstad's zsh script text executable"], swap_endian=0
+signature file-magic-auto52 {
+	file-mime "text/x-shellscript", 180
+	file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fzsh)/
+}
+
+# >0  string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0
+# >>14  string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0
+signature file-magic-auto53 {
+	file-mime "audio/x-mod", 20
+	file-magic /(MAS\x5fUTrack\x5fV00)(\x2f0)/
+}
+
+# >0  string,=!<arch>\ndebian (len=14), [""], swap_endian=0
+signature file-magic-auto54 {
+	file-mime "application/x-debian-package", 171
+	file-magic /(\x21\x3carch\x3e\x0adebian)/
+}
+
+# >0  string,=II\032\000\000\000HEAPCCDR (len=14), ["Canon CIFF raw image data"], swap_endian=0
+signature file-magic-auto55 {
+	file-mime "image/x-canon-crw", 170
+	file-magic /(II\x1a\x00\x00\x00HEAPCCDR)/
+}
+
+# >0  string/t,=Relay-Version: (len=14), ["old news text"], swap_endian=0
+signature file-magic-auto56 {
+	file-mime "message/rfc822", 170
+	file-magic /(Relay\x2dVersion\x3a)/
+}
+
+# >0  string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0
+# >>32  byte&,=0x00, [", Hash"], swap_endian=0
+signature file-magic-auto57 {
+	file-mime "application/x-tokyocabinet-hash", 40
+	file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x00])/
+}
+
+# >0  string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0
+# >>32  byte&,=0x01, [", B+ tree"], swap_endian=0
+signature file-magic-auto58 {
+	file-mime "application/x-tokyocabinet-btree", 40
+	file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x01])/
+}
+
+# >0  string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0
+# >>32  byte&,=0x02, [", Fixed-length"], swap_endian=0
+signature file-magic-auto59 {
+	file-mime "application/x-tokyocabinet-fixed", 40
+	file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x02])/
+}
+
+# >0  string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0
+# >>32  byte&,=0x03, [", Table"], swap_endian=0
+signature file-magic-auto60 {
+	file-mime "application/x-tokyocabinet-table", 40
+	file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x03])/
+}
+
+# >39  string,=<gmr:Workbook (len=13), ["Gnumeric spreadsheet"], swap_endian=0
+signature file-magic-auto61 {
+	file-mime "application/x-gnumeric", 160
+	file-magic /(.{39})(\x3cgmr\x3aWorkbook)/
+}
+
+# >0  string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0
+signature file-magic-auto62 {
+	file-mime "image/x-polar-monitor-bitmap", 160
+	file-magic /(\x5bBitmapInfo2\x5d)/
+}
+
+# >0  string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0
+signature file-magic-auto63 {
+	file-mime "application/vnd.font-fontforge-sfd", 160
+	file-magic /(SplineFontDB\x3a)/
+}
+
+# >0  string/ct,=delivered-to: (len=13), ["SMTP mail text"], swap_endian=0
+signature file-magic-auto64 {
+	file-mime "message/rfc822", 160
+	file-magic /([dD][eE][lL][iI][vV][eE][rR][eE][dD]\x2d[tT][oO]\x3a)/
+}
+
+# >0  string/ct,=return-path: (len=12), ["SMTP mail text"], swap_endian=0
+signature file-magic-auto65 {
+	file-mime "message/rfc822", 150
+	file-magic /([rR][eE][tT][uU][rR][nN]\x2d[pP][aA][tT][hH]\x3a)/
+}
+
+# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
+# >>20  string,=jp2  (len=4), ["Part 1 (JP2)"], swap_endian=0
+signature file-magic-auto66 {
+	file-mime "image/jp2", 70
+	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jp2 )/
+}
+
+# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
+# >>20  string,=jpx  (len=4), ["Part 2 (JPX)"], swap_endian=0
+signature file-magic-auto67 {
+	file-mime "image/jpx", 70
+	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jpx )/
+}
+
+# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
+# >>20  string,=jpm  (len=4), ["Part 6 (JPM)"], swap_endian=0
+signature file-magic-auto68 {
+	file-mime "image/jpm", 70
+	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(jpm )/
+}
+
+# >0  string,=\000\000\000\fjP  \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0
+# >>20  string,=mjp2 (len=4), ["Part 3 (MJ2)"], swap_endian=0
+signature file-magic-auto69 {
+	file-mime "video/mj2", 70
+	file-magic /(\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a)(.{8})(mjp2)/
+}
+
+# >0  string/w,=<map version (len=12), ["Freemind document"], swap_endian=0
+signature file-magic-auto70 {
+	file-mime "application/x-freemind", 150
+	file-magic /(\x3cmap ?version)/
+}
+
+# >0  string/wt,=#! /bin/tcsh (len=12), ["Tenex C shell script text executable"], swap_endian=0
+signature file-magic-auto71 {
+	file-mime "text/x-shellscript", 150
+	file-magic /(\x23\x21 ?\x2fbin\x2ftcsh)/
+}
+
+# >0  string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0
+signature file-magic-auto72 {
+	file-mime "text/x-nawk", 150
+	file-magic /(\x23\x21 ?\x2fbin\x2fnawk)/
+}
+
+# >0  string/wt,=#! /bin/gawk (len=12), ["GNU awk script text executable"], swap_endian=0
+signature file-magic-auto73 {
+	file-mime "text/x-gawk", 150
+	file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/
+}
+
+# >0  string/wt,=#! /bin/bash (len=12), ["Bourne-Again shell script text executable"], swap_endian=0
+signature file-magic-auto74 {
+	file-mime "text/x-shellscript", 150
+	file-magic /(\x23\x21 ?\x2fbin\x2fbash)/
+}
+
+# >0  string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0
+signature file-magic-auto75 {
+	file-mime "text/x-awk", 140
+	file-magic /(\x23\x21 ?\x2fbin\x2fawk)/
+}
+
+# >0  string,=filedesc:// (len=11), ["Internet Archive File"], swap_endian=0
+signature file-magic-auto76 {
+	file-mime "application/x-ia-arc", 140
+	file-magic /(filedesc\x3a\x2f\x2f)/
+}
+
+# >38  string,=Spreadsheet (len=11), ["sc spreadsheet file"], swap_endian=0
+signature file-magic-auto77 {
+	file-mime "application/x-sc", 140
+	file-magic /(.{38})(Spreadsheet)/
+}
+
+# >0  string,=d8:announce (len=11), ["BitTorrent file"], swap_endian=0
+signature file-magic-auto78 {
+	file-mime "application/x-bittorrent", 140
+	file-magic /(d8\x3aannounce)/
+}
+
+# >0  string/wt,=#! /bin/csh (len=11), ["C shell script text executable"], swap_endian=0
+signature file-magic-auto79 {
+	file-mime "text/x-shellscript", 140
+	file-magic /(\x23\x21 ?\x2fbin\x2fcsh)/
+}
+
+# >0  string/wt,=#! /bin/ksh (len=11), ["Korn shell script text executable"], swap_endian=0
+signature file-magic-auto80 {
+	file-mime "text/x-shellscript", 140
+	file-magic /(\x23\x21 ?\x2fbin\x2fksh)/
+}
+
+# >0  string/wt,=#! /bin/zsh (len=11), ["Paul Falstad's zsh script text executable"], swap_endian=0
+signature file-magic-auto81 {
+	file-mime "text/x-shellscript", 140
+	file-magic /(\x23\x21 ?\x2fbin\x2fzsh)/
+}
+
+# >0  string/c,=BEGIN:VCARD (len=11), ["vCard visiting card"], swap_endian=0
+signature file-magic-auto82 {
+	file-mime "text/x-vcard", 140
+	file-magic /(BEGIN\x3aVCARD)/
+}
+
+# >0  string,=HEADER     (len=10), [""], swap_endian=0
+# >>&0  regex/1,=^.{40} (len=6), [""], swap_endian=0
+# >>>&0  regex/1,=[0-9]{2}-[A-Z]{3}-[0-9]{2} {3} (len=30), [""], swap_endian=0
+# >>>>&0  regex/s/1,=[A-Z0-9]{4}.{14}$ (len=17), [""], swap_endian=0
+# >>>>>&0  regex/1,=[A-Z0-9]{4} (len=11), ["Protein Data Bank data, ID Code %s"], swap_endian=0
+signature file-magic-auto83 {
+	file-mime "chemical/x-pdb", 41
+	file-magic /(HEADER    )(^.{40})([0-9]{2}-[A-Z]{3}-[0-9]{2} {3})([A-Z0-9]{4}.{14}$)([A-Z0-9]{4})/
+}
+
+# >0  string/t,=Forward to (len=10), ["mail forwarding text"], swap_endian=0
+signature file-magic-auto84 {
+	file-mime "message/rfc822", 130
+	file-magic /(Forward to)/
+}
+
+# >0  string/wt,=#! /bin/sh (len=10), ["POSIX shell script text executable"], swap_endian=0
+signature file-magic-auto85 {
+	file-mime "text/x-shellscript", 130
+	file-magic /(\x23\x21 ?\x2fbin\x2fsh)/
+}
+
+# >0  string,=II*\000\020\000\000\000CR (len=10), ["Canon CR2 raw image data"], swap_endian=0
+signature file-magic-auto86 {
+	file-mime "image/x-canon-cr2", 130
+	file-magic /(II\x2a\x00\x10\x00\x00\x00CR)/
+}
+
+# >0  string,=<MakerFile (len=10), ["FrameMaker document"], swap_endian=0
+signature file-magic-auto87 {
+	file-mime "application/x-mif", 130
+	file-magic /(\x3cMakerFile)/
+}
+
+# >0  search/4096,=---  (len=4), [""], swap_endian=0
+# >>&0  search/1024,=\n (len=1), [""], swap_endian=0
+# >>>&0  search/1,=+++  (len=4), [""], swap_endian=0
+# >>>>&0  search/1024,=\n (len=1), [""], swap_endian=0
+# >>>>>&0  search/1,=@@ (len=2), ["unified diff output text"], swap_endian=0
+signature file-magic-auto88 {
+	file-mime "text/x-diff", 40
+	file-magic /(.*)(\x2d\x2d\x2d )(.*)(\x0a)(.*)(\x2b\x2b\x2b )(.*)(\x0a)(.*)(\x40\x40)/
+}
+
+# >0  string/t,=Received: (len=9), ["RFC 822 mail text"], swap_endian=0
+signature file-magic-auto89 {
+	file-mime "message/rfc822", 120
+	file-magic /(Received\x3a)/
+}
+
+# >0  string,=<BookFile (len=9), ["FrameMaker Book file"], swap_endian=0
+signature file-magic-auto90 {
+	file-mime "application/x-mif", 120
+	file-magic /(\x3cBookFile)/
+}
+
+# >2112  string,=MSWordDoc (len=9), ["Microsoft Word document data"], swap_endian=0
+signature file-magic-auto91 {
+	file-mime "application/msword", 120
+	file-magic /(.{2112})(MSWordDoc)/
+}
+
+# >0  string/t,=N#! rnews (len=9), ["mailed, batched news text"], swap_endian=0
+signature file-magic-auto92 {
+	file-mime "message/rfc822", 120
+	file-magic /(N\x23\x21 rnews)/
+}
+
+# >0  string/b,=WordPro\r\373 (len=9), ["Lotus WordPro"], swap_endian=0
+signature file-magic-auto93 {
+	file-mime "application/vnd.lotus-wordpro", 120
+	file-magic /(WordPro\x0d\xfb)/
+}
+
+# >0  string,=LPKSHHRH (len=8), [""], swap_endian=0
+# >>16  ubyte&000000fc,=0x00, [""], swap_endian=0
+# >>>24  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
+# >>>>32  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>40  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>>48  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>>>56  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>>>>64  ubequad&,>0 (0x0000000000000000), ["Journal file"], swap_endian=0
+signature file-magic-auto94 {
+	file-mime "application/octet-stream", 80
+	file-magic /(LPKSHHRH)(.{8})([\x00\x01\x02\x03])(.{7})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})/
+}
+
+# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
+# >>12  string,=DJVM (len=4), ["DjVu multiple page document"], swap_endian=0
+signature file-magic-auto95 {
+	file-mime "image/vnd.djvu", 70
+	file-magic /(AT\x26TFORM)(.{4})(DJVM)/
+}
+
+# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
+# >>12  string,=DJVU (len=4), ["DjVu image or single page document"], swap_endian=0
+signature file-magic-auto96 {
+	file-mime "image/vnd.djvu", 70
+	file-magic /(AT\x26TFORM)(.{4})(DJVU)/
+}
+
+# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
+# >>12  string,=DJVI (len=4), ["DjVu shared document"], swap_endian=0
+signature file-magic-auto97 {
+	file-mime "image/vnd.djvu", 70
+	file-magic /(AT\x26TFORM)(.{4})(DJVI)/
+}
+
+# >0  string,=AT&TFORM (len=8), [""], swap_endian=0
+# >>12  string,=THUM (len=4), ["DjVu page thumbnails"], swap_endian=0
+signature file-magic-auto98 {
+	file-mime "image/vnd.djvu", 70
+	file-magic /(AT\x26TFORM)(.{4})(THUM)/
+}
+
+# >0  string/t,=#! rnews (len=8), ["batched news text"], swap_endian=0
+signature file-magic-auto99 {
+	file-mime "message/rfc822", 110
+	file-magic /(\x23\x21 rnews)/
+}
+
+# >0  string/b,=MSCF\000\000\000\000 (len=8), ["Microsoft Cabinet archive data"], swap_endian=0
+signature file-magic-auto100 {
+	file-mime "application/vnd.ms-cab-compressed", 110
+	file-magic /(MSCF\x00\x00\x00\x00)/
+}
+
+# >0  string/b,=\320\317\021\340\241\261\032\341 (len=8), ["Microsoft Office Document"], swap_endian=0
+signature file-magic-auto101 {
+	file-mime "application/msword", 110
+	file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/
+}
+
+# >21  string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0
+signature file-magic-auto102 {
+	file-mime "audio/x-mod", 110
+	file-magic /(.{21})(\x21SCREAM\x21)/
+}
+
+# >21  string,=BMOD2STM (len=8), ["Screamtracker 2 module sound data"], swap_endian=0
+signature file-magic-auto103 {
+	file-mime "audio/x-mod", 110
+	file-magic /(.{21})(BMOD2STM)/
+}
+
+# >0  string/b,=ITOLITLS (len=8), ["Microsoft Reader eBook Data"], swap_endian=0
+# >>8  lelong&,x, [", version %u"], swap_endian=0
+signature file-magic-auto104 {
+	file-mime "application/x-ms-reader", 1
+	file-magic /(ITOLITLS)(.{4})/
+}
+
+# >4096  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 4k user block"], swap_endian=0
+signature file-magic-auto105 {
+	file-mime "application/x-hdf", 110
+	file-magic /(.{4096})(\x89HDF\x0d\x0a\x1a\x0a)/
+}
+
+# >2048  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 2k user block"], swap_endian=0
+signature file-magic-auto106 {
+	file-mime "application/x-hdf", 110
+	file-magic /(.{2048})(\x89HDF\x0d\x0a\x1a\x0a)/
+}
+
+# >1024  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 1k user block"], swap_endian=0
+signature file-magic-auto107 {
+	file-mime "application/x-hdf", 110
+	file-magic /(.{1024})(\x89HDF\x0d\x0a\x1a\x0a)/
+}
+
+# >512  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 512 bytes user block"], swap_endian=0
+signature file-magic-auto108 {
+	file-mime "application/x-hdf", 110
+	file-magic /(.{512})(\x89HDF\x0d\x0a\x1a\x0a)/
+}
+
+# >0  string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) data"], swap_endian=0
+signature file-magic-auto109 {
+	file-mime "application/x-hdf", 110
+	file-magic /(\x89HDF\x0d\x0a\x1a\x0a)/
+}
+
+# >0  string,=\211PNG\r\n\032\n (len=8), ["PNG image data"], swap_endian=0
+signature file-magic-auto110 {
+	file-mime "image/png", 110
+	file-magic /(\x89PNG\x0d\x0a\x1a\x0a)/
+}
+
+# >36  string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0
+signature file-magic-auto111 {
+	file-mime "application/vnd.iccprofile", 110
+	file-magic /(.{36})(acspSUNW)/
+}
+
+# >36  string,=acspSGI  (len=8), ["SGI ICC Profile"], swap_endian=0
+signature file-magic-auto112 {
+	file-mime "application/vnd.iccprofile", 110
+	file-magic /(.{36})(acspSGI )/
+}
+
+# >36  string,=acspMSFT (len=8), ["Microsoft ICM Color Profile"], swap_endian=0
+signature file-magic-auto113 {
+	file-mime "application/vnd.iccprofile", 110
+	file-magic /(.{36})(acspMSFT)/
+}
+
+# >36  string,=acspAPPL (len=8), ["ColorSync ICC Profile"], swap_endian=0
+signature file-magic-auto114 {
+	file-mime "application/vnd.iccprofile", 110
+	file-magic /(.{36})(acspAPPL)/
+}
+
+# >0  string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0
+signature file-magic-auto115 {
+	file-mime "image/x-xcf", 110
+	file-magic /(gimp xcf)/
+}
+
+# >512  string,=R\000o\000o\000t\000 (len=8), ["Hangul (Korean) Word Processor File 2000"], swap_endian=0
+signature file-magic-auto116 {
+	file-mime "application/x-hwp", 110
+	file-magic /(.{512})(R\x00o\x00o\x00t\x00)/
+}
+
+# >257  string,=ustar  \000 (len=8), ["GNU tar archive"], swap_endian=0
+signature file-magic-auto117 {
+	file-mime "application/x-tar", 110
+	file-magic /(.{257})(ustar  \x00)/
+}
+
+# >0  string,=<MIFFile (len=8), ["FrameMaker MIF (ASCII) file"], swap_endian=0
+signature file-magic-auto118 {
+	file-mime "application/x-mif", 110
+	file-magic /(\x3cMIFFile)/
+}
+
+# >0  string,=PK\a\bPK\003\004 (len=8), ["Zip multi-volume archive data, at least PKZIP v2.50 to extract"], swap_endian=0
+signature file-magic-auto119 {
+	file-mime "application/zip", 110
+	file-magic /(PK\x07\x08PK\x03\x04)/
+}
+
+# >0  string/b,=\t\004\006\000\000\000\020\000 (len=8), ["Microsoft Excel Worksheet"], swap_endian=0
+signature file-magic-auto120 {
+	file-mime "application/vnd.ms-excel", 110
+	file-magic /(\x09\x04\x06\x00\x00\x00\x10\x00)/
+}
+
+# >0  string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0
+signature file-magic-auto121 {
+	file-mime "application/vnd.lotus-wordpro", 110
+	file-magic /(WordPro\x00)/
+}
+
+# >0  string/t,=Article (len=7), ["saved news text"], swap_endian=0
+signature file-magic-auto122 {
+	file-mime "message/news", 100
+	file-magic /(Article)/
+}
+
+# >0  string,=\037\213 (len=2), ["gzip compressed data"], swap_endian=0
+signature file-magic-auto123 {
+	file-mime "application/x-gzip", 100
+	file-magic /(\x1f\x8b)/
+}
+
+# >0  string/t,=Pipe to (len=7), ["mail piping text"], swap_endian=0
+signature file-magic-auto124 {
+	file-mime "message/rfc822", 100
+	file-magic /(Pipe to)/
+}
+
+# >0  string,=.RMF\000\000\000 (len=7), ["RealMedia file"], swap_endian=0
+signature file-magic-auto125 {
+	file-mime "application/vnd.rn-realmedia", 100
+	file-magic /(\x2eRMF\x00\x00\x00)/
+}
+
+# >0  string,=StuffIt (len=7), ["StuffIt Archive"], swap_endian=0
+signature file-magic-auto126 {
+	file-mime "application/x-stuffit", 100
+	file-magic /(StuffIt)/
+}
+
+# >0  string,=!<arch> (len=7), ["current ar archive"], swap_endian=0
+signature file-magic-auto127 {
+	file-mime "application/x-archive", 100
+	file-magic /(\x21\x3carch\x3e)/
+}
+
+# >0  string,=P5 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto128 {
+	file-mime "image/x-portable-greymap", 42
+	file-magic /(P5)(.{1})([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >0  string,=P6 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto129 {
+	file-mime "image/x-portable-pixmap", 42
+	file-magic /(P6)(.{1})([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >0  string,=P4 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto130 {
+	file-mime "image/x-portable-bitmap", 42
+	file-magic /(P4)(.{1})([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >257  string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0
+signature file-magic-auto131 {
+	file-mime "application/x-tar", 90
+	file-magic /(.{257})(ustar\x00)/
+}
+
+# >0  string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0
+signature file-magic-auto132 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1\x2e40)/
+}
+
+# >0  string,=AC1.50 (len=6), ["DWG AutoDesk AutoCAD Release 2.05"], swap_endian=0
+signature file-magic-auto133 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1\x2e50)/
+}
+
+# >0  string,=AC2.10 (len=6), ["DWG AutoDesk AutoCAD Release 2.10"], swap_endian=0
+signature file-magic-auto134 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC2\x2e10)/
+}
+
+# >0  string,=AC2.21 (len=6), ["DWG AutoDesk AutoCAD Release 2.21"], swap_endian=0
+signature file-magic-auto135 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC2\x2e21)/
+}
+
+# >0  string,=AC2.22 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0
+signature file-magic-auto136 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC2\x2e22)/
+}
+
+# >0  string,=AC1001 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0
+signature file-magic-auto137 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1001)/
+}
+
+# >0  string,=AC1002 (len=6), ["DWG AutoDesk AutoCAD Release 2.50"], swap_endian=0
+signature file-magic-auto138 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1002)/
+}
+
+# >0  string,=AC1003 (len=6), ["DWG AutoDesk AutoCAD Release 2.60"], swap_endian=0
+signature file-magic-auto139 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1003)/
+}
+
+# >0  string,=AC1004 (len=6), ["DWG AutoDesk AutoCAD Release 9"], swap_endian=0
+signature file-magic-auto140 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1004)/
+}
+
+# >0  string,=AC1006 (len=6), ["DWG AutoDesk AutoCAD Release 10"], swap_endian=0
+signature file-magic-auto141 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1006)/
+}
+
+# >0  string,=AC1009 (len=6), ["DWG AutoDesk AutoCAD Release 11/12"], swap_endian=0
+signature file-magic-auto142 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1009)/
+}
+
+# >0  string,=AC1012 (len=6), ["DWG AutoDesk AutoCAD Release 13"], swap_endian=0
+signature file-magic-auto143 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1012)/
+}
+
+# >0  string,=AC1014 (len=6), ["DWG AutoDesk AutoCAD Release 14"], swap_endian=0
+signature file-magic-auto144 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1014)/
+}
+
+# >0  string,=AC1015 (len=6), ["DWG AutoDesk AutoCAD 2000/2002"], swap_endian=0
+signature file-magic-auto145 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1015)/
+}
+
+# >0  string,=AC1018 (len=6), ["DWG AutoDesk AutoCAD 2004/2005/2006"], swap_endian=0
+signature file-magic-auto146 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1018)/
+}
+
+# >0  string,=AC1021 (len=6), ["DWG AutoDesk AutoCAD 2007/2008/2009"], swap_endian=0
+signature file-magic-auto147 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1021)/
+}
+
+# >0  string,=AC1024 (len=6), ["DWG AutoDesk AutoCAD 2010/2011/2012"], swap_endian=0
+signature file-magic-auto148 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1024)/
+}
+
+# >0  string,=AC1027 (len=6), ["DWG AutoDesk AutoCAD 2013/2014"], swap_endian=0
+signature file-magic-auto149 {
+	file-mime "image/vnd.dwg", 90
+	file-magic /(AC1027)/
+}
+
+# >0  string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0
+# >>7  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto150 {
+	file-mime "application/x-7z-compressed", 1
+	file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/
+}
+
+# >0  ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0
+signature file-magic-auto151 {
+	file-mime "application/x-xz", 90
+	file-magic /(\xfd7zXZ\x00)/
+}
+
+# >0  string,=<Maker (len=6), ["Intermediate Print File	FrameMaker IPL file"], swap_endian=0
+signature file-magic-auto152 {
+	file-mime "application/x-mif", 90
+	file-magic /(\x3cMaker)/
+}
+
+# >0  string,=GIF94z (len=6), ["ZIF image (GIF+deflate alpha)"], swap_endian=0
+signature file-magic-auto153 {
+	file-mime "image/x-unknown", 90
+	file-magic /(GIF94z)/
+}
+
+# >0  string,=FGF95a (len=6), ["FGF image (GIF+deflate beta)"], swap_endian=0
+signature file-magic-auto154 {
+	file-mime "image/x-unknown", 90
+	file-magic /(FGF95a)/
+}
+
+# >0  string/t,=# xmcd (len=6), ["xmcd database file for kscd"], swap_endian=0
+signature file-magic-auto155 {
+	file-mime "text/x-xmcd", 90
+	file-magic /(\x23 xmcd)/
+}
+
+# >0  string/b,=\333\245-\000\000\000 (len=6), ["Microsoft Office Document"], swap_endian=0
+signature file-magic-auto156 {
+	file-mime "application/msword", 90
+	file-magic /(\xdb\xa5\x2d\x00\x00\x00)/
+}
+
+# >2  string,=MMXPR3 (len=6), ["Motorola Quark Express Document (English)"], swap_endian=0
+signature file-magic-auto157 {
+	file-mime "application/x-quark-xpress-3", 90
+	file-magic /(.{2})(MMXPR3)/
+}
+
+# >0  search/1,=P1 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto158 {
+	file-mime "image/x-portable-bitmap", 42
+	file-magic /(.*)(P1)([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >0  search/1,=P3 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto159 {
+	file-mime "image/x-portable-pixmap", 42
+	file-magic /(.*)(P3)([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >0  search/1,=P2 (len=2), [""], swap_endian=0
+# >>3  regex,=[0-9]{1,50}  (len=12), [", size = %sx"], swap_endian=0
+# >>>3  regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0
+signature file-magic-auto160 {
+	file-mime "image/x-portable-greymap", 42
+	file-magic /(.*)(P2)([0-9]{1,50} )( [0-9]{1,50})/
+}
+
+# >0  string/t,=<?xml (len=5), [""], swap_endian=0
+# >>20  search/400,= xmlns= (len=7), [""], swap_endian=0
+# >>>&0  regex,=['"]http://earth.google.com/kml (len=31), ["Google KML document"], swap_endian=0
+signature file-magic-auto161 {
+	file-mime "application/vnd.google-earth.kml+xml", 61
+	file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fearth.google.com\x2fkml)/
+}
+
+# >0  string/t,=<?xml (len=5), [""], swap_endian=0
+# >>20  search/400,= xmlns= (len=7), [""], swap_endian=0
+# >>>&0  regex,=['"]http://www.opengis.net/kml (len=30), ["OpenGIS KML document"], swap_endian=0
+signature file-magic-auto162 {
+	file-mime "application/vnd.google-earth.kml+xml", 60
+	file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>30  regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0
+# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>&26  search/1000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>>&26  string,=word/ (len=5), ["Microsoft Word 2007+"], swap_endian=0
+signature file-magic-auto163 {
+	file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80
+	file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(word\x2f)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>30  regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0
+# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>&26  search/1000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>>&26  string,=ppt/ (len=4), ["Microsoft PowerPoint 2007+"], swap_endian=0
+signature file-magic-auto164 {
+	file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 70
+	file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(ppt\x2f)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>30  regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0
+# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>&26  search/1000,=PK\003\004 (len=4), [""], swap_endian=0
+# >>>>>&26  string,=xl/ (len=3), ["Microsoft Excel 2007+"], swap_endian=0
+signature file-magic-auto165 {
+	file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 60
+	file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(xl\x2f)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXB (len=8), ["RINEX Data, GEO SBAS Broadcast"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto166 {
+	file-mime "rinex/broadcast", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXB)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXD (len=8), ["RINEX Data, Observation (Hatanaka comp)"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto167 {
+	file-mime "rinex/observation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXD)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXC (len=8), ["RINEX Data, Clock"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto168 {
+	file-mime "rinex/clock", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXC)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXH (len=8), ["RINEX Data, GEO SBAS Navigation"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto169 {
+	file-mime "rinex/navigation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXH)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXG (len=8), ["RINEX Data, GLONASS Navigation"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto170 {
+	file-mime "rinex/navigation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXG)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXL (len=8), ["RINEX Data, Galileo Navigation"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto171 {
+	file-mime "rinex/navigation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXL)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXM (len=8), ["RINEX Data, Meteorological"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto172 {
+	file-mime "rinex/meteorological", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXM)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXN (len=8), ["RINEX Data, Navigation	"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto173 {
+	file-mime "rinex/navigation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXN)/
+}
+
+# >60  string,=RINEX (len=5), [""], swap_endian=0
+# >>80  search/256,=XXRINEXO (len=8), ["RINEX Data, Observation"], swap_endian=0
+# >>>5  string,x, [", version %6.6s"], swap_endian=0
+signature file-magic-auto174 {
+	file-mime "rinex/observation", 1
+	file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXO)/
+}
+
+# Doubt it's going to be common to have this many bytes buffered.
+# >37633  string,=CD001 (len=5), ["ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)"], swap_endian=0
+#signature file-magic-auto175 {
+#	file-mime "application/x-iso9660-image", 80
+#	file-magic /(.{37633})(CD001)/
+#}
+
+# >2  string,=-lhd- (len=5), ["LHa 2.x? archive data [lhd]"], swap_endian=0
+signature file-magic-auto176 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlhd\x2d)/
+}
+
+# >0  string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0
+# >>5  string,x, ["version %.4s"], swap_endian=0
+signature file-magic-auto177 {
+	file-mime "application/warc", 1
+	file-magic /(WARC\x2f)(.{0})/
+}
+
+# >0  string,=AC1.3 (len=5), ["DWG AutoDesk AutoCAD Release 1.3"], swap_endian=0
+signature file-magic-auto178 {
+	file-mime "image/vnd.dwg", 80
+	file-magic /(AC1\x2e3)/
+}
+
+# >2  string,=-lh - (len=5), ["LHa 2.x? archive data [lh ]"], swap_endian=0
+signature file-magic-auto179 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh \x2d)/
+}
+
+# >0  string,=AC1.2 (len=5), ["DWG AutoDesk AutoCAD Release 1.2"], swap_endian=0
+signature file-magic-auto180 {
+	file-mime "image/vnd.dwg", 80
+	file-magic /(AC1\x2e2)/
+}
+
+# >0  string,=MC0.0 (len=5), ["DWG AutoDesk AutoCAD Release 1.0"], swap_endian=0
+signature file-magic-auto181 {
+	file-mime "image/vnd.dwg", 80
+	file-magic /(MC0\x2e0)/
+}
+
+# >2  string,=-lzs- (len=5), ["LHa/LZS archive data [lzs]"], swap_endian=0
+signature file-magic-auto182 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlzs\x2d)/
+}
+
+# >2  string,=-lz5- (len=5), ["LHarc 1.x archive data [lz5]"], swap_endian=0
+signature file-magic-auto183 {
+	file-mime "application/x-lharc", 80
+	file-magic /(.{2})(\x2dlz5\x2d)/
+}
+
+# Doubt it's going to be common to have this many bytes buffered.
+# >32769  string,=CD001 (len=5), ["#"], swap_endian=0
+#signature file-magic-auto184 {
+#	file-mime "application/x-iso9660-image", 80
+#	file-magic /(.{32769})(CD001)/
+#}
+
+# >2  string,=-lh3- (len=5), ["LHa 2.x? archive data [lh3]"], swap_endian=0
+signature file-magic-auto185 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh3\x2d)/
+}
+
+# >2  string,=-lh2- (len=5), ["LHa 2.x? archive data [lh2]"], swap_endian=0
+signature file-magic-auto186 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh2\x2d)/
+}
+
+# >0  string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0
+signature file-magic-auto187 {
+	file-mime "application/x-font-ttf", 80
+	file-magic /(\x00\x01\x00\x00\x00)/
+}
+
+# >0  string/b,=PO^Q` (len=5), ["Microsoft Word 6.0 Document"], swap_endian=0
+signature file-magic-auto188 {
+	file-mime "application/msword", 80
+	file-magic /(PO\x5eQ\x60)/
+}
+
+# >0  string,=%PDF- (len=5), ["PDF document"], swap_endian=0
+signature file-magic-auto189 {
+	file-mime "application/pdf", 80
+	file-magic /(\x25PDF\x2d)/
+}
+
+# >2114  string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0
+signature file-magic-auto190 {
+	file-mime "application/vnd.ms-excel", 80
+	file-magic /(.{2114})(Biff5)/
+}
+
+# >2121  string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0
+signature file-magic-auto191 {
+	file-mime "application/vnd.ms-excel", 80
+	file-magic /(.{2121})(Biff5)/
+}
+
+# >0  string/t,=Path: (len=5), ["news text"], swap_endian=0
+signature file-magic-auto192 {
+	file-mime "message/news", 80
+	file-magic /(Path\x3a)/
+}
+
+# >0  string/t,=Xref: (len=5), ["news text"], swap_endian=0
+signature file-magic-auto193 {
+	file-mime "message/news", 80
+	file-magic /(Xref\x3a)/
+}
+
+# >0  string/t,=From: (len=5), ["news or mail text"], swap_endian=0
+signature file-magic-auto194 {
+	file-mime "message/rfc822", 80
+	file-magic /(From\x3a)/
+}
+
+# >2  string,=-lh7- (len=5), ["LHa (2.x)/LHark archive data [lh7]"], swap_endian=0
+signature file-magic-auto195 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh7\x2d)/
+}
+
+# >0  string,={\rtf (len=5), ["Rich Text Format data,"], swap_endian=0
+signature file-magic-auto196 {
+	file-mime "text/rtf", 80
+	file-magic /(\x7b\x5crtf)/
+}
+
+# >2  string,=-lh6- (len=5), ["LHa (2.x) archive data [lh6]"], swap_endian=0
+signature file-magic-auto197 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh6\x2d)/
+}
+
+# >2  string,=-lh5- (len=5), ["LHa (2.x) archive data [lh5]"], swap_endian=0
+signature file-magic-auto198 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh5\x2d)/
+}
+
+# >2  string,=-lh4- (len=5), ["LHa (2.x) archive data [lh4]"], swap_endian=0
+signature file-magic-auto199 {
+	file-mime "application/x-lha", 80
+	file-magic /(.{2})(\x2dlh4\x2d)/
+}
+
+# >2  string,=-lz4- (len=5), ["LHarc 1.x archive data [lz4]"], swap_endian=0
+signature file-magic-auto200 {
+	file-mime "application/x-lharc", 80
+	file-magic /(.{2})(\x2dlz4\x2d)/
+}
+
+# >2  string,=-lh1- (len=5), ["LHarc 1.x/ARX archive data [lh1]"], swap_endian=0
+signature file-magic-auto201 {
+	file-mime "application/x-lharc", 80
+	file-magic /(.{2})(\x2dlh1\x2d)/
+}
+
+# >2  string,=-lh0- (len=5), ["LHarc 1.x/ARX archive data [lh0]"], swap_endian=0
+signature file-magic-auto202 {
+	file-mime "application/x-lharc", 80
+	file-magic /(.{2})(\x2dlh0\x2d)/
+}
+
+# >0  string,=%FDF- (len=5), ["FDF document"], swap_endian=0
+signature file-magic-auto203 {
+	file-mime "application/vnd.fdf", 80
+	file-magic /(\x25FDF\x2d)/
+}
+
+# >0  belong&,=443 (0x000001bb), [""], swap_endian=0
+signature file-magic-auto204 {
+	file-mime "video/mpeg", 71
+	file-magic /(\x00\x00\x01\xbb)/
+}
+
+# The non-sequential offsets and use of bitmask and relational operators
+# made this difficult to autogenerate.  Can see about manually creating
+# the correct character class later.
+# >0  ubelong&fff8fe00,=167772160 (0x0a000000), [""], swap_endian=0
+# >>3  ubyte&,>0x00, [""], swap_endian=0
+# >>>1  ubyte&,<0x06, [""], swap_endian=0
+# >>>>1  ubyte&,!0x01, ["PCX"], swap_endian=0
+#signature file-magic-auto205 {
+#	file-mime "image/x-pcx", 1
+#	file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05])(.*)([\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+#}
+
+# >0  belong&,=432 (0x000001b0), [""], swap_endian=0
+signature file-magic-auto206 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&,=437 (0x000001b5), [""], swap_endian=0
+signature file-magic-auto207 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  string,=AWBM (len=4), [""], swap_endian=0
+# >>4  leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0
+signature file-magic-auto208 {
+	file-mime "image/x-award-bmp", 20
+	file-magic /(AWBM)(.{2})/
+}
+
+# >0  belong&,=435 (0x000001b3), [""], swap_endian=0
+signature file-magic-auto209 {
+	file-mime "video/mpv", 71
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# Converting bitmask to character class might make the regex
+# unfriendly to humans.
+# >0  belong&ffffffffff5fff10,=1195376656 (0x47400010), [""], swap_endian=0
+#signature file-magic-auto210 {
+#	file-mime "video/mp2t", 71
+#	file-magic /(.{4})/
+#}
+
+# >0  belong&,=1 (0x00000001), [""], swap_endian=0
+# >>4  byte&0000001f,=0x07, [""], swap_endian=0
+signature file-magic-auto211 {
+	file-mime "video/h264", 41
+	file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/
+}
+
+# >0  belong&,=-889275714 (0xcafebabe), [""], swap_endian=0
+signature file-magic-auto212 {
+	file-mime "application/x-java-applet", 71
+	file-magic /(\xca\xfe\xba\xbe)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xba, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto213 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xba)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto214 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto215 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb3, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto216 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# >0  lelong&,=4 (0x00000004), [""], swap_endian=0
+# >>104  lelong&,=4 (0x00000004), ["X11 SNF font data, LSB first"], swap_endian=0
+signature file-magic-auto217 {
+	file-mime "application/x-font-sfn", 70
+	file-magic /(\x04\x00\x00\x00)(.{100})(\x04\x00\x00\x00)/
+}
+
+# >0  lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0
+signature file-magic-auto218 {
+	file-mime "application/x-lzma", 71
+	file-magic /(\x5d\x00\x00.)/
+}
+
+# This didn't auto-generate correctly due to non-sequential offsets and
+# use of bitwise/relational comparisons.  At a glance: may not be
+# that common/useful, leaving for later.
+# >512  ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0
+# >>21  ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0
+# >>>512  ubyte&,=0xfc, ["180k"], swap_endian=0
+# >>>>2574  ubequad&,=0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>2560  ubequad&,!0 (0x0000000000000000), [""], swap_endian=0
+#signature file-magic-auto219 {
+#	file-mime "application/x-ima", 2
+#	file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfc])(.{2061})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/
+#}
+
+# This didn't auto-generate correctly due to non-sequential offsets and
+# use of bitwise/relational comparisons.  At a glance: may not be
+# that common/useful, leaving for later.
+# >512  ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0
+# >>21  ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0
+# >>>512  ubyte&,=0xfd, [""], swap_endian=0
+# >>>>2574  ubequad&,=0 (0x0000000000000000), [""], swap_endian=0
+#signature file-magic-auto220 {
+#	file-mime "application/x-ima", 111
+#	file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfd])(.{2061})(\x00\x00\x00\x00\x00\x00\x00\x00)/
+#}
+
+# This didn't auto-generate correctly due to non-sequential offsets and
+# use of bitwise/relational comparisons.  At a glance: may not be
+# that common/useful, leaving for later.
+# >512  ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0
+# >>21  ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0
+# >>>512  ubyte&,=0xfe, [""], swap_endian=0
+# >>>>1024  ubelong&e0ffff00,=3774873344 (0xe0ffff00), ["160k"], swap_endian=0
+# >>>>>1550  ubequad&,=0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>>1536  ubequad&,!0 (0x0000000000000000), [""], swap_endian=0
+#signature file-magic-auto221 {
+#	file-mime "application/x-ima", 2
+#	file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfe])(.{511})(.{4})(.{522})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/
+#}
+
+# This didn't auto-generate correctly due to non-sequential offsets and
+# use of bitwise/relational comparisons.  At a glance: may not be
+# that common/useful, leaving for later.
+# >512  ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0
+# >>21  ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0
+# >>>512  ubyte&,=0xff, ["320k"], swap_endian=0
+# >>>>1550  ubequad&,=0 (0x0000000000000000), [""], swap_endian=0
+# >>>>>1536  ubequad&,!0 (0x0000000000000000), [""], swap_endian=0
+#signature file-magic-auto222 {
+#	file-mime "application/x-ima", 2
+#	file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xff])(.{1037})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/
+#}
+
+# >0  string,=;ELC (len=4), [""], swap_endian=0
+# >>4  byte&,<0x20, ["Emacs/XEmacs v%d byte-compiled Lisp data"], swap_endian=0
+signature file-magic-auto223 {
+	file-mime "application/x-elc", 10
+	file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=webm (len=4), ["WebM"], swap_endian=0
+signature file-magic-auto224 {
+	file-mime "video/webm", 70
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=matroska (len=8), ["Matroska data"], swap_endian=0
+signature file-magic-auto225 {
+	file-mime "video/x-matroska", 110
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>4  byte&,=0x14, [""], swap_endian=0
+# >>>30  string,=doc.kml (len=7), ["Compressed Google KML Document, including resources."], swap_endian=0
+signature file-magic-auto226 {
+	file-mime "application/vnd.google-earth.kmz", 100
+	file-magic /(PK\x03\x04)([\x14])(.{25})(doc\x2ekml)/
+}
+
+# The indirect offset in the last magic rule means this has little chance
+# Also plenty of bitmasking/relational comparisons that weren't auto-generated.
+# of working.
+# >0  ulelong&804000e9,=233 (0x000000e9), [""], swap_endian=0
+# >>11  uleshort&000f001f,=0 (0x0000), [""], swap_endian=0
+# >>>11  uleshort&,<32769 (0x8001), [""], swap_endian=0
+# >>>>11  uleshort&,>31 (0x001f), [""], swap_endian=0
+# >>>>>21  ubyte&000000f0,=0xf0, [""], swap_endian=0
+# >>>>>>21  ubyte&,!0xf8, [""], swap_endian=0
+# >>>>>>>54  string,!FAT16 (len=5), [""], swap_endian=0
+# >>>>>>>>11 (leshort,&0), ulelong&00fffff0,=16777200 (0x00fffff0), [", followed by FAT"], swap_endian=0
+#signature file-magic-auto227 {
+#	file-mime "application/x-ima", 70
+#	file-magic /(.{4})(.{7})(.{2})(.*)(.{2})(.*)(.{2})(.{8})([\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{32})(FAT16)(.{4})/
+#}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=text (len=4), [""], swap_endian=0
+# >>>>>77  byte&,!0x2d, ["Text"], swap_endian=0
+signature file-magic-auto228 {
+	file-mime "application/vnd.oasis.opendocument.text", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=text (len=4), [""], swap_endian=0
+# >>>>>77  string,=-template (len=9), ["Text Template"], swap_endian=0
+signature file-magic-auto229 {
+	file-mime "application/vnd.oasis.opendocument.text-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=text (len=4), [""], swap_endian=0
+# >>>>>77  string,=-web (len=4), ["HTML Document Template"], swap_endian=0
+signature file-magic-auto230 {
+	file-mime "application/vnd.oasis.opendocument.text-web", 70
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=text (len=4), [""], swap_endian=0
+# >>>>>77  string,=-master (len=7), ["Master Document"], swap_endian=0
+signature file-magic-auto231 {
+	file-mime "application/vnd.oasis.opendocument.text-master", 100
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=graphics (len=8), [""], swap_endian=0
+# >>>>>81  byte&,!0x2d, ["Drawing"], swap_endian=0
+signature file-magic-auto232 {
+	file-mime "application/vnd.oasis.opendocument.graphics", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=graphics (len=8), [""], swap_endian=0
+# >>>>>81  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto233 {
+	file-mime "application/vnd.oasis.opendocument.graphics-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=presentation (len=12), [""], swap_endian=0
+# >>>>>85  byte&,!0x2d, ["Presentation"], swap_endian=0
+signature file-magic-auto234 {
+	file-mime "application/vnd.oasis.opendocument.presentation", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=presentation (len=12), [""], swap_endian=0
+# >>>>>85  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto235 {
+	file-mime "application/vnd.oasis.opendocument.presentation-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=spreadsheet (len=11), [""], swap_endian=0
+# >>>>>84  byte&,!0x2d, ["Spreadsheet"], swap_endian=0
+signature file-magic-auto236 {
+	file-mime "application/vnd.oasis.opendocument.spreadsheet", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=spreadsheet (len=11), [""], swap_endian=0
+# >>>>>84  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto237 {
+	file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=chart (len=5), [""], swap_endian=0
+# >>>>>78  byte&,!0x2d, ["Chart"], swap_endian=0
+signature file-magic-auto238 {
+	file-mime "application/vnd.oasis.opendocument.chart", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=chart (len=5), [""], swap_endian=0
+# >>>>>78  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto239 {
+	file-mime "application/vnd.oasis.opendocument.chart-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=formula (len=7), [""], swap_endian=0
+# >>>>>80  byte&,!0x2d, ["Formula"], swap_endian=0
+signature file-magic-auto240 {
+	file-mime "application/vnd.oasis.opendocument.formula", 1110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=formula (len=7), [""], swap_endian=0
+# >>>>>80  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto241 {
+	file-mime "application/vnd.oasis.opendocument.formula-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=database (len=8), ["Database"], swap_endian=0
+signature file-magic-auto242 {
+	file-mime "application/vnd.oasis.opendocument.database", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=image (len=5), [""], swap_endian=0
+# >>>>>78  byte&,!0x2d, ["Image"], swap_endian=0
+signature file-magic-auto243 {
+	file-mime "application/vnd.oasis.opendocument.image", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0
+# >>>>73  string,=image (len=5), [""], swap_endian=0
+# >>>>>78  string,=-template (len=9), ["Template"], swap_endian=0
+signature file-magic-auto244 {
+	file-mime "application/vnd.oasis.opendocument.image-template", 120
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/
+}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,=epub+zip (len=8), ["EPUB document"], swap_endian=0
+signature file-magic-auto245 {
+	file-mime "application/epub+zip", 110
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/
+}
+
+# Seems redundant with other zip signature below.
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0
+# >>>50  string,!epub+zip (len=8), [""], swap_endian=0
+# >>>>50  string,!vnd.oasis.opendocument. (len=23), [""], swap_endian=0
+# >>>>>50  string,!vnd.sun.xml. (len=12), [""], swap_endian=0
+# >>>>>>50  string,!vnd.kde. (len=8), [""], swap_endian=0
+# >>>>>>>38  regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0
+#signature file-magic-auto246 {
+#	file-mime "application/zip", 39
+#	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)/
+#}
+
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26  string,=\b\000\000\000mimetype (len=12), [""], swap_endian=0
+# >>>38  string,!application/ (len=12), [""], swap_endian=0
+# >>>>38  regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0
+signature file-magic-auto247 {
+	file-mime "application/zip", 39
+	file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetype)/
+}
+
+# The indirect offset makes this difficult to convert.
+# The (.*) may be too generous.
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26 (leshort,+30), leshort&,=-13570 (0xcafe), ["Java archive data (JAR)"], swap_endian=0
+signature file-magic-auto248 {
+	file-mime "application/java-archive", 50
+	file-magic /(PK\x03\x04)(.*)(\xfe\xca)/
+}
+
+# The indeirect offset and string inequality make this difficult to convert.
+# >0  string,=PK\003\004 (len=4), [""], swap_endian=0
+# >>26 (leshort,+30), leshort&,!-13570 (0xcafe), [""], swap_endian=0
+# >>>26  string,!\b\000\000\000mimetype (len=12), ["Zip archive data"], swap_endian=0
+signature file-magic-auto249 {
+	file-mime "application/zip", 10
+	file-magic /(PK\x03\x04)(.{2})/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,&0x40, [""], swap_endian=0
+signature file-magic-auto250 {
+	file-mime "video/mp2p", 21
+	file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,^0x40, [""], swap_endian=0
+signature file-magic-auto251 {
+	file-mime "video/mpeg", 21
+	file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
+}
+
+# >0  string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0
+signature file-magic-auto252 {
+	file-mime "video/x-sgi-movie", 70
+	file-magic /(MOVI)/
+}
+
+# >4  string,=moov (len=4), ["Apple QuickTime"], swap_endian=0
+signature file-magic-auto253 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(moov)/
+}
+
+# >4  string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0
+signature file-magic-auto254 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(mdat)/
+}
+
+# >4  string,=idsc (len=4), ["Apple QuickTime image (fast start)"], swap_endian=0
+signature file-magic-auto255 {
+	file-mime "image/x-quicktime", 70
+	file-magic /(.{4})(idsc)/
+}
+
+# >4  string,=pckg (len=4), ["Apple QuickTime compressed archive"], swap_endian=0
+signature file-magic-auto256 {
+	file-mime "application/x-quicktime-player", 70
+	file-magic /(.{4})(pckg)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto257 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(isom)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto258 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp41)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0
+signature file-magic-auto259 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp42)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string/W,=jp2 (len=3), [", JPEG 2000"], swap_endian=0
+signature file-magic-auto260 {
+	file-mime "image/jp2", 60
+	file-magic /(.{4})(ftyp)(jp2)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto261 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3ge)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto262 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gg)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto263 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gp)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto264 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gs)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0
+signature file-magic-auto265 {
+	file-mime "video/3gpp2", 60
+	file-magic /(.{4})(ftyp)(3g2)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0
+signature file-magic-auto266 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mmp4)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0
+signature file-magic-auto267 {
+	file-mime "video/3gpp", 70
+	file-magic /(.{4})(ftyp)(avc1)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string/W,=M4A (len=3), [", MPEG v4 system, iTunes AAC-LC"], swap_endian=0
+signature file-magic-auto268 {
+	file-mime "audio/mp4", 60
+	file-magic /(.{4})(ftyp)(M4A)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string/W,=M4V (len=3), [", MPEG v4 system, iTunes AVC-LC"], swap_endian=0
+signature file-magic-auto269 {
+	file-mime "video/mp4", 60
+	file-magic /(.{4})(ftyp)(M4V)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string/W,=qt (len=2), [", Apple QuickTime movie"], swap_endian=0
+signature file-magic-auto270 {
+	file-mime "video/quicktime", 50
+	file-magic /(.{4})(ftyp)(qt)/
+}
+
+# >0  string,=Xcur (len=4), ["Xcursor data"], swap_endian=0
+signature file-magic-auto271 {
+	file-mime "image/x-xcursor", 70
+	file-magic /(Xcur)/
+}
+
+# >0  string,=ADIF (len=4), ["MPEG ADIF, AAC"], swap_endian=0
+signature file-magic-auto272 {
+	file-mime "audio/x-hx-aac-adif", 70
+	file-magic /(ADIF)/
+}
+
+# >0  belong&,=807842421 (0x3026b275), ["Microsoft ASF"], swap_endian=0
+signature file-magic-auto273 {
+	file-mime "video/x-ms-asf", 70
+	file-magic /(\x30\x26\xb2\x75)/
+}
+
+# >0  string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0
+signature file-magic-auto274 {
+	file-mime "video/x-mng", 70
+	file-magic /(\x8aMNG)/
+}
+
+# >0  string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0
+signature file-magic-auto275 {
+	file-mime "video/x-jng", 70
+	file-magic /(\x8bJNG)/
+}
+
+# >0  string,=MAC  (len=4), ["Monkey's Audio compressed format"], swap_endian=0
+signature file-magic-auto276 {
+	file-mime "audio/x-ape", 70
+	file-magic /(MAC )/
+}
+
+# >36  string,=acsp (len=4), ["ICC Profile"], swap_endian=0
+signature file-magic-auto277 {
+	file-mime "application/vnd.iccprofile", 70
+	file-magic /(.{36})(acsp)/
+}
+
+# >0  string,=FORM (len=4), ["IFF data"], swap_endian=0
+# >>8  string,=AIFF (len=4), [", AIFF audio"], swap_endian=0
+signature file-magic-auto278 {
+	file-mime "audio/x-aiff", 70
+	file-magic /(FORM)(.{4})(AIFF)/
+}
+
+# >0  string,=FORM (len=4), ["IFF data"], swap_endian=0
+# >>8  string,=AIFC (len=4), [", AIFF-C compressed audio"], swap_endian=0
+signature file-magic-auto279 {
+	file-mime "audio/x-aiff", 70
+	file-magic /(FORM)(.{4})(AIFC)/
+}
+
+# >0  string,=FORM (len=4), ["IFF data"], swap_endian=0
+# >>8  string,=8SVX (len=4), [", 8SVX 8-bit sampled sound voice"], swap_endian=0
+signature file-magic-auto280 {
+	file-mime "audio/x-aiff", 70
+	file-magic /(FORM)(.{4})(8SVX)/
+}
+
+# >0  string,=fLaC (len=4), ["FLAC audio bitstream data"], swap_endian=0
+signature file-magic-auto281 {
+	file-mime "audio/x-flac", 70
+	file-magic /(fLaC)/
+}
+
+# >0  string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0
+signature file-magic-auto282 {
+	file-mime "image/x-niff", 70
+	file-magic /(IIN1)/
+}
+
+# >0  string,=MM\000* (len=4), ["TIFF image data, big-endian"], swap_endian=0
+signature file-magic-auto283 {
+	file-mime "image/tiff", 70
+	file-magic /(MM\x00\x2a)/
+}
+
+# >0  string,=II*\000 (len=4), ["TIFF image data, little-endian"], swap_endian=0
+signature file-magic-auto284 {
+	file-mime "image/tiff", 70
+	file-magic /(II\x2a\x00)/
+}
+
+# >0  string,=MM\000+ (len=4), ["Big TIFF image data, big-endian"], swap_endian=0
+signature file-magic-auto285 {
+	file-mime "image/tiff", 70
+	file-magic /(MM\x00\x2b)/
+}
+
+# >0  string,=II+\000 (len=4), ["Big TIFF image data, little-endian"], swap_endian=0
+signature file-magic-auto286 {
+	file-mime "image/tiff", 70
+	file-magic /(II\x2b\x00)/
+}
+
+# >0  string,=GIF8 (len=4), ["GIF image data"], swap_endian=0
+signature file-magic-auto287 {
+	file-mime "image/gif", 70
+	file-magic /(GIF8)/
+}
+
+# >128  string,=DICM (len=4), ["DICOM medical imaging data"], swap_endian=0
+signature file-magic-auto288 {
+	file-mime "application/dicom", 70
+	file-magic /(.{128})(DICM)/
+}
+
+# >0  string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0
+signature file-magic-auto289 {
+	file-mime "image/vnd.adobe.photoshop", 70
+	file-magic /(8BPS)/
+}
+
+# >0  string,=IMPM (len=4), ["Impulse Tracker module sound data -"], swap_endian=0
+signature file-magic-auto290 {
+	file-mime "audio/x-mod", 70
+	file-magic /(IMPM)/
+}
+
+# >0  lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0
+signature file-magic-auto291 {
+	file-mime "image/x-exr", 70
+	file-magic /(\x76\x2f\x31\x01)/
+}
+
+# >0  string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0
+signature file-magic-auto292 {
+	file-mime "image/x-dpx", 70
+	file-magic /(SDPX)/
+}
+
+# >0  belong&,=235082497 (0x0e031301), ["Hierarchical Data Format (version 4) data"], swap_endian=0
+signature file-magic-auto293 {
+	file-mime "application/x-hdf", 70
+	file-magic /(\x0e\x03\x13\x01)/
+}
+
+# >0  string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0
+signature file-magic-auto294 {
+	file-mime "image/x-cpi", 70
+	file-magic /(CPC\xb2)/
+}
+
+# >0  string,=MMOR (len=4), ["Olympus ORF raw image data, big-endian"], swap_endian=0
+signature file-magic-auto295 {
+	file-mime "image/x-olympus-orf", 70
+	file-magic /(MMOR)/
+}
+
+# >0  string,=IIRO (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0
+signature file-magic-auto296 {
+	file-mime "image/x-olympus-orf", 70
+	file-magic /(IIRO)/
+}
+
+# >0  string,=IIRS (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0
+signature file-magic-auto297 {
+	file-mime "image/x-olympus-orf", 70
+	file-magic /(IIRS)/
+}
+
+# >0  string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0
+signature file-magic-auto298 {
+	file-mime "image/x-x3f", 70
+	file-magic /(FOVb)/
+}
+
+# >0  string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0
+signature file-magic-auto299 {
+	file-mime "image/x-paintnet", 70
+	file-magic /(PDN3)/
+}
+
+# >0  ulelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (little-endian)"], swap_endian=0
+signature file-magic-auto300 {
+	file-mime "application/vnd.tcpdump.pcap", 70
+	file-magic /(\xd4\xc3\xb2\xa1)/
+}
+
+# >0  ubelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (big-endian)"], swap_endian=0
+signature file-magic-auto301 {
+	file-mime "application/vnd.tcpdump.pcap", 70
+	file-magic /(\xa1\xb2\xc3\xd4)/
+}
+
+# >0  belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0
+signature file-magic-auto302 {
+	file-mime "application/x-java-keystore", 70
+	file-magic /(\xfe\xed\xfe\xed)/
+}
+
+# >0  belong&,=-825307442 (0xcececece), ["Java JCE KeyStore"], swap_endian=0
+signature file-magic-auto303 {
+	file-mime "application/x-java-jce-keystore", 70
+	file-magic /(\xce\xce\xce\xce)/
+}
+
+# >1080  string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0
+signature file-magic-auto304 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(32CN)/
+}
+
+# >1080  string,=16CN (len=4), ["16-channel Taketracker module sound data"], swap_endian=0
+signature file-magic-auto305 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(16CN)/
+}
+
+# >1080  string,=OKTA (len=4), ["8-channel Octalyzer module sound data"], swap_endian=0
+signature file-magic-auto306 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(OKTA)/
+}
+
+# >1080  string,=CD81 (len=4), ["8-channel Octalyser module sound data"], swap_endian=0
+signature file-magic-auto307 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(CD81)/
+}
+
+# >1080  string,=8CHN (len=4), ["8-channel Fasttracker module sound data"], swap_endian=0
+signature file-magic-auto308 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(8CHN)/
+}
+
+# >1080  string,=6CHN (len=4), ["6-channel Fasttracker module sound data"], swap_endian=0
+signature file-magic-auto309 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(6CHN)/
+}
+
+# >1080  string,=4CHN (len=4), ["4-channel Fasttracker module sound data"], swap_endian=0
+signature file-magic-auto310 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(4CHN)/
+}
+
+# >1080  string,=FLT8 (len=4), ["8-channel Startracker module sound data"], swap_endian=0
+signature file-magic-auto311 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(FLT8)/
+}
+
+# >1080  string,=FLT4 (len=4), ["4-channel Startracker module sound data"], swap_endian=0
+signature file-magic-auto312 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(FLT4)/
+}
+
+# >1080  string,=M!K! (len=4), ["4-channel Protracker module sound data"], swap_endian=0
+signature file-magic-auto313 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(M\x21K\x21)/
+}
+
+# >1080  string,=M.K. (len=4), ["4-channel Protracker module sound data"], swap_endian=0
+signature file-magic-auto314 {
+	file-mime "audio/x-mod", 70
+	file-magic /(.{1080})(M\x2eK\x2e)/
+}
+
+# >0  lelong&,=336851773 (0x1413f33d), ["SYSLINUX' LSS16 image data"], swap_endian=0
+signature file-magic-auto315 {
+	file-mime "image/x-lss16", 70
+	file-magic /(\x3d\xf3\x13\x14)/
+}
+
+# >0  belong&,=779248125 (0x2e7261fd), ["RealAudio sound file"], swap_endian=0
+signature file-magic-auto316 {
+	file-mime "audio/x-pn-realaudio", 70
+	file-magic /(\x2e\x72\x61\xfd)/
+}
+
+# >0  string,=CTMF (len=4), ["Creative Music (CMF) data"], swap_endian=0
+signature file-magic-auto317 {
+	file-mime "audio/x-unknown", 70
+	file-magic /(CTMF)/
+}
+
+# >0  string,=MThd (len=4), ["Standard MIDI data"], swap_endian=0
+signature file-magic-auto318 {
+	file-mime "audio/midi", 70
+	file-magic /(MThd)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=1 (0x00000001), ["8-bit ISDN mu-law,"], swap_endian=0
+signature file-magic-auto319 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x01\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=2 (0x00000002), ["8-bit linear PCM [REF-PCM],"], swap_endian=0
+signature file-magic-auto320 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x02\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=3 (0x00000003), ["16-bit linear PCM,"], swap_endian=0
+signature file-magic-auto321 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x03\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=4 (0x00000004), ["24-bit linear PCM,"], swap_endian=0
+signature file-magic-auto322 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x04\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=5 (0x00000005), ["32-bit linear PCM,"], swap_endian=0
+signature file-magic-auto323 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x05\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=6 (0x00000006), ["32-bit IEEE floating point,"], swap_endian=0
+signature file-magic-auto324 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x06\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=7 (0x00000007), ["64-bit IEEE floating point,"], swap_endian=0
+signature file-magic-auto325 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x07\x00\x00\x00)/
+}
+
+# >0  lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0
+# >>12  lelong&,=23 (0x00000017), ["8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),"], swap_endian=0
+signature file-magic-auto326 {
+	file-mime "audio/x-dec-basic", 70
+	file-magic /(\x2e\x73\x64\x00)(.{8})(\x17\x00\x00\x00)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=1 (0x00000001), ["8-bit ISDN mu-law,"], swap_endian=0
+signature file-magic-auto327 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x01)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=2 (0x00000002), ["8-bit linear PCM [REF-PCM],"], swap_endian=0
+signature file-magic-auto328 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x02)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=3 (0x00000003), ["16-bit linear PCM,"], swap_endian=0
+signature file-magic-auto329 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x03)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=4 (0x00000004), ["24-bit linear PCM,"], swap_endian=0
+signature file-magic-auto330 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x04)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=5 (0x00000005), ["32-bit linear PCM,"], swap_endian=0
+signature file-magic-auto331 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x05)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=6 (0x00000006), ["32-bit IEEE floating point,"], swap_endian=0
+signature file-magic-auto332 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x06)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=7 (0x00000007), ["64-bit IEEE floating point,"], swap_endian=0
+signature file-magic-auto333 {
+	file-mime "audio/basic", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x07)/
+}
+
+# >0  string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0
+# >>12  belong&,=23 (0x00000017), ["8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),"], swap_endian=0
+signature file-magic-auto334 {
+	file-mime "audio/x-adpcm", 70
+	file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x17)/
+}
+
+# >0  string,=SIT! (len=4), ["StuffIt Archive (data)"], swap_endian=0
+signature file-magic-auto335 {
+	file-mime "application/x-stuffit", 70
+	file-magic /(SIT\x21)/
+}
+
+# >0  lelong&,=574529400 (0x223e9f78), ["Transport Neutral Encapsulation Format"], swap_endian=0
+signature file-magic-auto336 {
+	file-mime "application/vnd.ms-tnef", 70
+	file-magic /(\x78\x9f\x3e\x22)/
+}
+
+# >0  string,=<ar> (len=4), ["System V Release 1 ar archive"], swap_endian=0
+signature file-magic-auto337 {
+	file-mime "application/x-archive", 70
+	file-magic /(\x3car\x3e)/
+}
+
+# >0  lelong&ffffffff8080ffff,=2074 (0x0000081a), ["ARC archive data, dynamic LZW"], swap_endian=0
+signature file-magic-auto338 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x08\x1a)/
+}
+
+# >0  lelong&ffffffff8080ffff,=2330 (0x0000091a), ["ARC archive data, squashed"], swap_endian=0
+signature file-magic-auto339 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x09\x1a)/
+}
+
+# >0  lelong&ffffffff8080ffff,=538 (0x0000021a), ["ARC archive data, uncompressed"], swap_endian=0
+signature file-magic-auto340 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x02\x1a)/
+}
+
+# >0  lelong&,=270539386 (0x10201a7a), ["Symbian installation file (Symbian OS 9.x)"], swap_endian=0
+signature file-magic-auto341 {
+	file-mime "x-epoc/x-sisx-app", 70
+	file-magic /(\x7a\x1a\x20\x10)/
+}
+
+# >8  lelong&,=268436505 (0x10000419), ["Symbian installation file"], swap_endian=0
+signature file-magic-auto342 {
+	file-mime "application/vnd.symbian.install", 70
+	file-magic /(.{8})(\x19\x04\x00\x10)/
+}
+
+# >0  lelong&ffffffff8080ffff,=794 (0x0000031a), ["ARC archive data, packed"], swap_endian=0
+signature file-magic-auto343 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x03\x1a)/
+}
+
+# >0  belong&,=518520576 (0x1ee7ff00), ["EET archive"], swap_endian=0
+signature file-magic-auto344 {
+	file-mime "application/x-eet", 70
+	file-magic /(\x1e\xe7\xff\x00)/
+}
+
+# >0  lelong&ffffffff8080ffff,=1050 (0x0000041a), ["ARC archive data, squeezed"], swap_endian=0
+signature file-magic-auto345 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x04\x1a)/
+}
+
+# >0  lelong&ffffffff8080ffff,=1562 (0x0000061a), ["ARC archive data, crunched"], swap_endian=0
+signature file-magic-auto346 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x06\x1a)/
+}
+
+# >0  lelong&ffffffff8080ffff,=2586 (0x00000a1a), ["PAK archive data"], swap_endian=0
+signature file-magic-auto347 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x0a\x1a)/
+}
+
+# >0  lelong&ffffffff8080ffff,=5146 (0x0000141a), ["ARC+ archive data"], swap_endian=0
+signature file-magic-auto348 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x14\x1a)/
+}
+
+# >20  lelong&,=-37443620 (0xfdc4a7dc), ["Zoo archive data"], swap_endian=0
+signature file-magic-auto349 {
+	file-mime "application/x-zoo", 70
+	file-magic /(.{20})(\xdc\xa7\xc4\xfd)/
+}
+
+# >0  string,=Rar! (len=4), ["RAR archive data,"], swap_endian=0
+signature file-magic-auto350 {
+	file-mime "application/x-rar", 70
+	file-magic /(Rar\x21)/
+}
+
+# >0  lelong&ffffffff8080ffff,=18458 (0x0000481a), ["HYP archive data"], swap_endian=0
+signature file-magic-auto351 {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x48\x1a)/
+}
+
+# >0  string,=drpm (len=4), ["Delta RPM"], swap_endian=0
+signature file-magic-auto352 {
+	file-mime "application/x-rpm", 70
+	file-magic /(drpm)/
+}
+
+# >0  belong&,=-307499301 (0xedabeedb), ["RPM"], swap_endian=0
+signature file-magic-auto353 {
+	file-mime "application/x-rpm", 70
+	file-magic /(\xed\xab\xee\xdb)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=WAVE (len=4), [", WAVE audio"], swap_endian=0
+signature file-magic-auto354 {
+	file-mime "audio/x-wav", 70
+	file-magic /(RIFF)(.{4})(WAVE)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0
+signature file-magic-auto355 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDRA)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0
+signature file-magic-auto356 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDR6)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=AVI  (len=4), [", AVI"], swap_endian=0
+signature file-magic-auto357 {
+	file-mime "video/x-msvideo", 70
+	file-magic /(RIFF)(.{4})(AVI )/
+}
+
+# >0  belong&,=834535424 (0x31be0000), ["Microsoft Word Document"], swap_endian=0
+signature file-magic-auto358 {
+	file-mime "application/msword", 70
+	file-magic /(\x31\xbe\x00\x00)/
+}
+
+# >0  string/b,=\3767\000# (len=4), ["Microsoft Office Document"], swap_endian=0
+signature file-magic-auto359 {
+	file-mime "application/msword", 70
+	file-magic /(\xfe7\x00\x23)/
+}
+
+# >0  string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0
+signature file-magic-auto360 {
+	file-mime "application/msword", 70
+	file-magic /(\xdb\xa5\x2d\x00)/
+}
+
+# >0  string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0
+signature file-magic-auto361 {
+	file-mime "application/msword", 70
+	file-magic /(\xdb\xa5\x2d\x00)/
+}
+
+# >0  belong&,=6656 (0x00001a00), ["Lotus 1-2-3"], swap_endian=0
+signature file-magic-auto362 {
+	file-mime "application/x-123", 70
+	file-magic /(\x00\x00\x1a\x00)/
+}
+
+# >0  belong&,=512 (0x00000200), ["Lotus 1-2-3"], swap_endian=0
+signature file-magic-auto363 {
+	file-mime "application/x-123", 70
+	file-magic /(\x00\x00\x02\x00)/
+}
+
+# >0  string/b,=\000\000\001\000 (len=4), ["MS Windows icon resource"], swap_endian=0
+signature file-magic-auto364 {
+	file-mime "image/x-icon", 70
+	file-magic /(\x00\x00\x01\x00)/
+}
+
+# >0  lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0
+# >>>8  lelong&,=268435588 (0x10000084), ["Agenda file"], swap_endian=0
+signature file-magic-auto365 {
+	file-mime "application/x-epoc-agenda", 70
+	file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\x84\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0
+# >>>8  lelong&,=268435590 (0x10000086), ["Data file"], swap_endian=0
+signature file-magic-auto366 {
+	file-mime "application/x-epoc-data", 70
+	file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\x86\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0
+# >>>8  lelong&,=268438762 (0x10000cea), ["Jotter file"], swap_endian=0
+signature file-magic-auto367 {
+	file-mime "application/x-epoc-jotter", 70
+	file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\xea\x0c\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435522 (0x10000042), ["multi-bitmap image"], swap_endian=0
+signature file-magic-auto368 {
+	file-mime "image/x-epoc-mbm", 70
+	file-magic /(\x37\x00\x00\x10)(\x42\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), [""], swap_endian=0
+# >>>8  lelong&,=268435581 (0x1000007d), ["Sketch image"], swap_endian=0
+signature file-magic-auto369 {
+	file-mime "image/x-epoc-sketch", 70
+	file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x7d\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), [""], swap_endian=0
+# >>>8  lelong&,=268435583 (0x1000007f), ["Word file"], swap_endian=0
+signature file-magic-auto370 {
+	file-mime "application/x-epoc-word", 70
+	file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x7f\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), [""], swap_endian=0
+# >>>8  lelong&,=268435589 (0x10000085), ["OPL program (TextEd)"], swap_endian=0
+signature file-magic-auto371 {
+	file-mime "application/x-epoc-opl", 70
+	file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x85\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435565 (0x1000006d), [""], swap_endian=0
+# >>>8  lelong&,=268435592 (0x10000088), ["Sheet file"], swap_endian=0
+signature file-magic-auto372 {
+	file-mime "application/x-epoc-sheet", 70
+	file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x88\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435571 (0x10000073), ["OPO module"], swap_endian=0
+signature file-magic-auto373 {
+	file-mime "application/x-epoc-opo", 70
+	file-magic /(\x37\x00\x00\x10)(\x73\x00\x00\x10)/
+}
+
+# >0  lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0
+# >>4  lelong&,=268435572 (0x10000074), ["OPL application"], swap_endian=0
+signature file-magic-auto374 {
+	file-mime "application/x-epoc-app", 70
+	file-magic /(\x37\x00\x00\x10)(\x74\x00\x00\x10)/
+}
+
+# >0  long&,=398689 (0x00061561), ["Berkeley DB"], swap_endian=0
+signature file-magic-auto375 {
+	file-mime "application/x-dbm", 70
+	file-magic /((\x61\x15\x06\x00)|(\x00\x06\x15\x61))/
+}
+
+# >0  string,=GDBM (len=4), ["GNU dbm 2.x database"], swap_endian=0
+signature file-magic-auto376 {
+	file-mime "application/x-gdbm", 70
+	file-magic /(GDBM)/
+}
+
+# >0  lelong&,=324508366 (0x13579ace), ["GNU dbm 1.x or ndbm database, little endian"], swap_endian=0
+signature file-magic-auto377 {
+	file-mime "application/x-gdbm", 70
+	file-magic /(\xce\x9a\x57\x13)/
+}
+
+# >0  belong&,=324508366 (0x13579ace), ["GNU dbm 1.x or ndbm database, big endian"], swap_endian=0
+signature file-magic-auto378 {
+	file-mime "application/x-gdbm", 70
+	file-magic /(\x13\x57\x9a\xce)/
+}
+
+# >0  belong&,=4 (0x00000004), ["X11 SNF font data, MSB first"], swap_endian=0
+signature file-magic-auto379 {
+	file-mime "application/x-font-sfn", 70
+	file-magic /(\x00\x00\x00\x04)/
+}
+
+# >0  string,=OTTO (len=4), ["OpenType font data"], swap_endian=0
+signature file-magic-auto380 {
+	file-mime "application/vnd.ms-opentype", 70
+	file-magic /(OTTO)/
+}
+
+# >0  string,=<MML (len=4), ["FrameMaker MML file"], swap_endian=0
+signature file-magic-auto381 {
+	file-mime "application/x-mif", 70
+	file-magic /(\x3cMML)/
+}
+
+# >0  lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0
+signature file-magic-auto382 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x02\x21\x4c\x18)/
+}
+
+# >0  lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0
+signature file-magic-auto383 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x04\x22\x4d\x18)/
+}
+
+# >0  string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0
+# >>5  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto384 {
+	file-mime "application/x-lrzip", 1
+	file-magic /(LRZI)(.{1})(.{1})/
+}
+
+# >0  string,=OggS (len=4), ["Ogg data"], swap_endian=0
+signature file-magic-auto385 {
+	file-mime "application/ogg", 70
+	file-magic /(OggS)/
+}
+
+# >0  string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0
+signature file-magic-auto386 {
+	file-mime "application/x-lzip", 70
+	file-magic /(LZIP)/
+}
+
+# >0  belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
+# >>4  byte&,x, ["%d"], swap_endian=0
+signature file-magic-auto387 {
+	file-mime "application/x-java-pack200", 1
+	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
+}
+
+# >0  belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0
+# >>4  byte&,x, ["%d"], swap_endian=0
+signature file-magic-auto388 {
+	file-mime "application/x-java-pack200", 1
+	file-magic /(\xca\xfe\xd0\x0d)(.{1})/
+}
+
+# >0  regex,=^( |\t){0,50}def {1,50}[a-zA-Z]{1,100} (len=38), [""], swap_endian=0
+# >>&0  regex,= {0,50}\(([a-zA-Z]|,| ){1,500}\):$ (len=34), ["Python script text executable"], swap_endian=0
+signature file-magic-auto389 {
+	file-mime "text/x-python", 64
+	file-magic /(^( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/
+}
+
+# >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto390 {
+	file-mime "text/x-tex", 62
+	file-magic /(.*)(\x5cdocumentstyle)/
+}
+
+# >0  string,=DOC (len=3), [""], swap_endian=0
+# >>43  byte&,=0x14, ["Just System Word Processor Ichitaro v4"], swap_endian=0
+signature file-magic-auto391 {
+	file-mime "application/x-ichitaro4", 40
+	file-magic /(DOC)(.{40})([\x14])/
+}
+
+# >0  string,=DOC (len=3), [""], swap_endian=0
+# >>43  byte&,=0x15, ["Just System Word Processor Ichitaro v5"], swap_endian=0
+signature file-magic-auto392 {
+	file-mime "application/x-ichitaro5", 40
+	file-magic /(DOC)(.{40})([\x15])/
+}
+
+# >1  string,=SaR (len=3), [""], swap_endian=0
+# >>0  string,=3 (len=1), ["Cups Raster version 3, Little Endian"], swap_endian=0
+signature file-magic-auto393 {
+	file-mime "application/vnd.cups-raster", 40
+	file-magic /(3)(SaR)/
+}
+
+# >0  string,=RaS (len=3), [""], swap_endian=0
+# >>3  string,=3 (len=1), ["Cups Raster version 3, Big Endian"], swap_endian=0
+signature file-magic-auto394 {
+	file-mime "application/vnd.cups-raster", 40
+	file-magic /(RaS)(3)/
+}
+
+# >0  string,=DOC (len=3), [""], swap_endian=0
+# >>43  byte&,=0x16, ["Just System Word Processor Ichitaro v6"], swap_endian=0
+signature file-magic-auto395 {
+	file-mime "application/x-ichitaro6", 40
+	file-magic /(DOC)(.{40})([\x16])/
+}
+
+# >0  search/w/1,=#! /usr/local/bin/php (len=21), ["PHP script text executable"], swap_endian=0
+signature file-magic-auto396 {
+	file-mime "text/x-php", 61
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fphp)/
+}
+
+# >0  search/1,=eval '(exit $?0)' && eval 'exec (len=31), ["Perl script text"], swap_endian=0
+signature file-magic-auto397 {
+	file-mime "text/x-perl", 61
+	file-magic /(.*)(eval \x27\x28exit \x24\x3f0\x29\x27 \x26\x26 eval \x27exec)/
+}
+
+# >0  regex,=^[ \t]*require[ \t]'[A-Za-z_/]+' (len=30), [""], swap_endian=0
+# >>0  regex,=include [A-Z]|def [a-z]| do$ (len=28), [""], swap_endian=0
+# >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby script text"], swap_endian=0
+signature file-magic-auto398 {
+	file-mime "text/x-ruby", 54
+	file-magic /(^[ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/
+}
+
+# >0  search/1,=eval "exec /usr/local/bin/perl (len=30), ["Perl script text"], swap_endian=0
+signature file-magic-auto399 {
+	file-mime "text/x-perl", 60
+	file-magic /(.*)(eval \x22exec \x2fusr\x2flocal\x2fbin\x2fperl)/
+}
+
+# >0  string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0
+signature file-magic-auto400 {
+	file-mime "video/x-flv", 60
+	file-magic /(FLV)/
+}
+
+# >0  string,=MP+ (len=3), ["Musepack audio"], swap_endian=0
+signature file-magic-auto401 {
+	file-mime "audio/x-musepack", 60
+	file-magic /(MP\x2b)/
+}
+
+# >0  string,=PBF (len=3), ["PBF image (deflate compression)"], swap_endian=0
+signature file-magic-auto402 {
+	file-mime "image/x-unknown", 60
+	file-magic /(PBF)/
+}
+
+# >0  string,=SBI (len=3), ["SoundBlaster instrument data"], swap_endian=0
+signature file-magic-auto403 {
+	file-mime "audio/x-unknown", 60
+	file-magic /(SBI)/
+}
+
+# >0  string/b,=\224\246. (len=3), ["Microsoft Word Document"], swap_endian=0
+signature file-magic-auto404 {
+	file-mime "application/msword", 60
+	file-magic /(\x94\xa6\x2e)/
+}
+
+# >0  string,=\004%! (len=3), ["PostScript document text"], swap_endian=0
+signature file-magic-auto405 {
+	file-mime "application/postscript", 60
+	file-magic /(\x04\x25\x21)/
+}
+
+# >0  string,=BZh (len=3), ["bzip2 compressed data"], swap_endian=0
+signature file-magic-auto406 {
+	file-mime "application/x-bzip2", 60
+	file-magic /(BZh)/
+}
+
+# >0  regex,=^[ \t]*(class|module)[ \t][A-Z] (len=29), [""], swap_endian=0
+# >>0  regex,=(modul|includ)e [A-Z]|def [a-z] (len=31), [""], swap_endian=0
+# >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby module source text"], swap_endian=0
+signature file-magic-auto407 {
+	file-mime "text/x-ruby", 54
+	file-magic /(^[ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/
+}
+
+# >512  string/b,=\354\245\301 (len=3), ["Microsoft Word Document"], swap_endian=0
+signature file-magic-auto408 {
+	file-mime "application/msword", 60
+	file-magic /(.{512})(\xec\xa5\xc1)/
+}
+
+# >0  string,=FWS (len=3), ["Macromedia Flash data,"], swap_endian=0
+# >>3  byte&,x, ["version %d"], swap_endian=0
+signature file-magic-auto409 {
+	file-mime "application/x-shockwave-flash", 1
+	file-magic /(FWS)(.{1})/
+}
+
+# >0  string,=CWS (len=3), ["Macromedia Flash data (compressed),"], swap_endian=0
+signature file-magic-auto410 {
+	file-mime "application/x-shockwave-flash", 60
+	file-magic /(CWS)/
+}
+
+# >0  regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto411 {
+	file-mime "text/troff", 59
+	file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/
+}
+
+# >0  search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0
+signature file-magic-auto412 {
+	file-mime "text/x-tex", 59
+	file-magic /(.*)(\x5cdocumentclass)/
+}
+
+# >0  regex,=^from\s+(\w|\.)+\s+import.*$ (len=28), ["Python script text executable"], swap_endian=0
+signature file-magic-auto413 {
+	file-mime "text/x-python", 58
+	file-magic /(^from\s+(\w|\.)+\s+import.*$)/
+}
+
+# >0  search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0
+signature file-magic-auto414 {
+	file-mime "text/x-tex", 58
+	file-magic /(.*)(\x5ccontentsline)/
+}
+
+# >0  search/4096,=\chapter (len=8), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto415 {
+	file-mime "text/x-tex", 56
+	file-magic /(.*)(\x5cchapter)/
+}
+
+# >0  search/4096,=\section (len=8), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto416 {
+	file-mime "text/x-tex", 56
+	file-magic /(.*)(\x5csection)/
+}
+
+# >0  regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto417 {
+	file-mime "text/troff", 56
+	file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/
+}
+
+# >0  search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0
+signature file-magic-auto418 {
+	file-mime "text/x-php", 55
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fphp)/
+}
+
+# >0  search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto419 {
+	file-mime "text/x-tex", 55
+	file-magic /(.*)(\x5csetlength)/
+}
+
+# >0  search/1,=eval "exec /usr/bin/perl (len=24), ["Perl script text"], swap_endian=0
+signature file-magic-auto420 {
+	file-mime "text/x-perl", 54
+	file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/
+}
+
+# >0  search/w/1,=#! /usr/local/bin/python (len=24), ["Python script text executable"], swap_endian=0
+signature file-magic-auto421 {
+	file-mime "text/x-python", 54
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fpython)/
+}
+
+# >0  search/1,=Common subdirectories:  (len=23), ["diff output text"], swap_endian=0
+signature file-magic-auto422 {
+	file-mime "text/x-diff", 53
+	file-magic /(.*)(Common subdirectories\x3a )/
+}
+
+# >0  search/1,=#! /usr/bin/env python (len=22), ["Python script text executable"], swap_endian=0
+signature file-magic-auto423 {
+	file-mime "text/x-python", 52
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv python)/
+}
+
+# >0  search/w/1,=#! /usr/local/bin/ruby (len=22), ["Ruby script text executable"], swap_endian=0
+signature file-magic-auto424 {
+	file-mime "text/x-ruby", 52
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fruby)/
+}
+
+# >0  search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0
+signature file-magic-auto425 {
+	file-mime "text/x-tcl", 52
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fwish)/
+}
+
+# >0  search/4096,=(custom-set-variables  (len=22), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto426 {
+	file-mime "text/x-lisp", 52
+	file-magic /(.*)(\x28custom\x2dset\x2dvariables )/
+}
+
+# >0  beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0
+signature file-magic-auto427 {
+	file-mime "image/jpeg", 52
+	file-magic /(\xff\xd8)/
+}
+
+# >0  search/1,=#!/usr/bin/env python (len=21), ["Python script text executable"], swap_endian=0
+signature file-magic-auto428 {
+	file-mime "text/x-python", 51
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv python)/
+}
+
+# >0  search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto429 {
+	file-mime "application/javascript", 51
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv nodejs)/
+}
+
+# >0  search/w/1,=#! /usr/local/bin/tcl (len=21), ["Tcl script text executable"], swap_endian=0
+signature file-magic-auto430 {
+	file-mime "text/x-tcl", 51
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcl)/
+}
+
+# This didn't autogenerate well due to indirect offset, bitmasking, and
+# relational comparisons.
+# >0  leshort&fffffffffffffefe,=0 (0x0000), [""], swap_endian=0
+# >>4  ulelong&fcfffe00,=0 (0x00000000), [""], swap_endian=0
+# >>>68  ulelong&,>87 (0x00000057), [""], swap_endian=0
+# >>>>68 (lelong,-1), ubelong&ffe0c519,=4194328 (0x00400018), ["Windows Precompiled iNF"], swap_endian=0
+#signature file-magic-auto431 {
+#	file-mime "application/x-pnf", 70
+#	file-magic /(.{2})(.{2})(.{4})(.{60})(.{4})(.{4})/
+#}
+
+# >0  search/w/1,=#! /usr/local/bin/lua (len=21), ["Lua script text executable"], swap_endian=0
+signature file-magic-auto432 {
+	file-mime "text/x-lua", 51
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2flua)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+signature file-magic-auto433 {
+	file-mime "application/x-dosexec", 51
+	file-magic /(MZ)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto434 {
+	file-mime "application/zip", 340
+	file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto435 {
+	file-mime "application/zip", 150
+	file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto436 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHa\x27s SFX)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto437 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHA\x27s SFX)/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1,  32 kbps"], swap_endian=0
+signature file-magic-auto438 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x20, ["MPEG ADTS, layer III, v1,  40 kbps"], swap_endian=0
+signature file-magic-auto439 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x30, ["MPEG ADTS, layer III, v1,  48 kbps"], swap_endian=0
+signature file-magic-auto440 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x40, ["MPEG ADTS, layer III, v1,  56 kbps"], swap_endian=0
+signature file-magic-auto441 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x50, ["MPEG ADTS, layer III, v1,  64 kbps"], swap_endian=0
+signature file-magic-auto442 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x60, ["MPEG ADTS, layer III, v1,  80 kbps"], swap_endian=0
+signature file-magic-auto443 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x70, ["MPEG ADTS, layer III, v1,  96 kbps"], swap_endian=0
+signature file-magic-auto444 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x80, ["MPEG ADTS, layer III, v1, 112 kbps"], swap_endian=0
+signature file-magic-auto445 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0x90, ["MPEG ADTS, layer III, v1, 128 kbps"], swap_endian=0
+signature file-magic-auto446 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xa0, ["MPEG ADTS, layer III, v1, 160 kbps"], swap_endian=0
+signature file-magic-auto447 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xb0, ["MPEG ADTS, layer III, v1, 192 kbps"], swap_endian=0
+signature file-magic-auto448 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xc0, ["MPEG ADTS, layer III, v1, 224 kbps"], swap_endian=0
+signature file-magic-auto449 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xd0, ["MPEG ADTS, layer III, v1, 256 kbps"], swap_endian=0
+signature file-magic-auto450 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf])/
+}
+
+# >0  beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0
+# >>2  byte&fffffffffffffff0,=0xe0, ["MPEG ADTS, layer III, v1, 320 kbps"], swap_endian=0
+signature file-magic-auto451 {
+	file-mime "audio/mpeg", 40
+	file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/
+}
+
+# >4  leshort&,=-20719 (0xaf11), [""], swap_endian=0
+# >>8  leshort&,=320 (0x0140), [""], swap_endian=0
+# >>>10  leshort&,=200 (0x00c8), [""], swap_endian=0
+# >>>>12  leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0
+signature file-magic-auto452 {
+	file-mime "video/x-fli", 50
+	file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/
+}
+
+# >4  leshort&,=-20718 (0xaf12), [""], swap_endian=0
+# >>12  leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0
+signature file-magic-auto453 {
+	file-mime "video/x-flc", 50
+	file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=12 (0x000c), ["PC bitmap, OS/2 1.x format"], swap_endian=0
+signature file-magic-auto454 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x0c\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=64 (0x0040), ["PC bitmap, OS/2 2.x format"], swap_endian=0
+signature file-magic-auto455 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x40\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=40 (0x0028), ["PC bitmap, Windows 3.x format"], swap_endian=0
+signature file-magic-auto456 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x28\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=124 (0x007c), ["PC bitmap, Windows 98/2000 and newer format"], swap_endian=0
+signature file-magic-auto457 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x7c\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=108 (0x006c), ["PC bitmap, Windows 95/NT4 and newer format"], swap_endian=0
+signature file-magic-auto458 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x6c\x00)/
+}
+
+# >0  string,=BM (len=2), [""], swap_endian=0
+# >>14  leshort&,=128 (0x0080), ["PC bitmap, Windows NT/2000 format"], swap_endian=0
+signature file-magic-auto459 {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /(BM)(.{12})(\x80\x00)/
+}
+
+# >20  string,=45 (len=2), [""], swap_endian=0
+# >>0  regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0
+signature file-magic-auto460 {
+	file-mime "application/marc", 60
+	file-magic /(.{20})(45)(.*)((^[0-9]{5})[acdnp][^bhlnqsu-z])/
+}
+
+# >20  string,=45 (len=2), [""], swap_endian=0
+# >>0  regex/1,=(^[0-9]{5})[acdnosx][z] (len=23), ["MARC21 Authority"], swap_endian=0
+signature file-magic-auto461 {
+	file-mime "application/marc", 53
+	file-magic /(.{20})(45)(.*)((^[0-9]{5})[acdnosx][z])/
+}
+
+# >20  string,=45 (len=2), [""], swap_endian=0
+# >>0  regex/1,=(^[0-9]{5})[cdn][uvxy] (len=22), ["MARC21 Holdings"], swap_endian=0
+signature file-magic-auto462 {
+	file-mime "application/marc", 52
+	file-magic /(.{20})(45)(.*)((^[0-9]{5})[cdn][uvxy])/
+}
+
+# >0  search/4096,=\relax (len=6), ["LaTeX auxiliary file"], swap_endian=0
+signature file-magic-auto463 {
+	file-mime "text/x-tex", 51
+	file-magic /(.*)(\x5crelax)/
+}
+
+# >0  search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto464 {
+	file-mime "text/x-tex", 51
+	file-magic /(.*)(\x5cbegin)/
+}
+
+# >0  search/4096,=\input (len=6), ["TeX document text"], swap_endian=0
+signature file-magic-auto465 {
+	file-mime "text/x-tex", 51
+	file-magic /(.*)(\x5cinput)/
+}
+
+# >0  leshort&,=-24712 (0x9f78), ["TNEF"], swap_endian=0
+signature file-magic-auto466 {
+	file-mime "application/vnd.ms-tnef", 50
+	file-magic /(\x78\x9f)/
+}
+
+# >0  leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0
+signature file-magic-auto467 {
+	file-mime "application/x-arj", 50
+	file-magic /(\x60\xea)/
+}
+
+# >0  search/1,=eval "exec /bin/perl (len=20), ["Perl script text"], swap_endian=0
+signature file-magic-auto468 {
+	file-mime "text/x-perl", 50
+	file-magic /(.*)(eval \x22exec \x2fbin\x2fperl)/
+}
+
+# >0  search/1,=#! /usr/bin/env perl (len=20), ["Perl script text executable"], swap_endian=0
+signature file-magic-auto469 {
+	file-mime "text/x-perl", 50
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv perl)/
+}
+
+# >0  beshort&,=-26368 (0x9900), ["PGP key public ring"], swap_endian=0
+signature file-magic-auto470 {
+	file-mime "application/x-pgp-keyring", 50
+	file-magic /(\x99\x00)/
+}
+
+# >0  beshort&,=-27391 (0x9501), ["PGP key security ring"], swap_endian=0
+signature file-magic-auto471 {
+	file-mime "application/x-pgp-keyring", 50
+	file-magic /(\x95\x01)/
+}
+
+# >0  beshort&,=-27392 (0x9500), ["PGP key security ring"], swap_endian=0
+signature file-magic-auto472 {
+	file-mime "application/x-pgp-keyring", 50
+	file-magic /(\x95\x00)/
+}
+
+# >0  beshort&,=-23040 (0xa600), ["PGP encrypted data"], swap_endian=0
+signature file-magic-auto473 {
+	file-mime "text/PGP", 50
+	file-magic /(\xa6\x00)/
+}
+
+# >0  string,=%! (len=2), ["PostScript document text"], swap_endian=0
+signature file-magic-auto474 {
+	file-mime "application/postscript", 50
+	file-magic /(\x25\x21)/
+}
+
+# >0  search/1,=#! /usr/bin/env ruby (len=20), ["Ruby script text executable"], swap_endian=0
+signature file-magic-auto475 {
+	file-mime "text/x-ruby", 50
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv ruby)/
+}
+
+# >0  regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0
+signature file-magic-auto476 {
+	file-mime "application/marc", 50
+	file-magic /((^[0-9]{5})[acdn][w])/
+}
+
+# >0  regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0
+# >>0  regex/1,=(^[0-9]{5})[cdn][q] (len=19), ["MARC21 Community"], swap_endian=0
+signature file-magic-auto477 {
+	file-mime "application/marc", 49
+	file-magic /((^[0-9]{5})[acdn][w])((^[0-9]{5})[cdn][q])/
+}
+
+# >0  regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0
+# >>0  regex/1,=(^.{21})([^0]{2}) (len=17), ["(non-conforming)"], swap_endian=0
+signature file-magic-auto478 {
+	file-mime "application/marc", 47
+	file-magic /((^[0-9]{5})[acdn][w])((^.{21})([^0]{2}))/
+}
+
+# >0  short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0
+signature file-magic-auto479 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\x71\xc7)|(\xc7\x71))/
+}
+
+# >0  short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0
+signature file-magic-auto480 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\xc7\x71)|(\x71\xc7))/
+}
+
+# >0  string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0
+signature file-magic-auto481 {
+	file-mime "application/x-elc", 50
+	file-magic /(\x0a\x28)/
+}
+
+# >0  string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0
+signature file-magic-auto482 {
+	file-mime "image/x-award-bioslogo", 50
+	file-magic /(\x11\x09)/
+}
+
+# >0  string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0
+signature file-magic-auto483 {
+	file-mime "image/x-award-bioslogo", 50
+	file-magic /(\x11\x06)/
+}
+
+# >0  string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0
+signature file-magic-auto484 {
+	file-mime "image/x-portable-pixmap", 50
+	file-magic /(P7)/
+}
+
+# >0  beshort&ffffffffffffffe0,=22240 (0x56e0), ["MPEG-4 LOAS"], swap_endian=0
+signature file-magic-auto485 {
+	file-mime "audio/x-mp4a-latm", 50
+	file-magic /(\x56[\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  beshort&fffffffffffffff6,=-16 (0xfff0), ["MPEG ADTS, AAC"], swap_endian=0
+signature file-magic-auto486 {
+	file-mime "audio/x-hx-aac-adts", 50
+	file-magic /(\xff[\xf0\xf1\xf8\xf9])/
+}
+
+# >0  beshort&fffffffffffffffe,=-30 (0xffe2), ["MPEG ADTS, layer III,  v2.5"], swap_endian=0
+signature file-magic-auto487 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xe2\xe3])/
+}
+
+# >0  beshort&fffffffffffffffe,=-10 (0xfff6), ["MPEG ADTS, layer I, v2"], swap_endian=0
+signature file-magic-auto488 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xf6\xf7])/
+}
+
+# >0  beshort&fffffffffffffffe,=-14 (0xfff2), ["MPEG ADTS, layer III, v2"], swap_endian=0
+signature file-magic-auto489 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xf2\xf3])/
+}
+
+# >0  beshort&fffffffffffffffe,=-4 (0xfffc), ["MPEG ADTS, layer II, v1"], swap_endian=0
+signature file-magic-auto490 {
+	file-mime "audio/mpeg", 50
+	file-magic /(\xff[\xfc\xfd])/
+}
+
+# >0  search/1,=#! /usr/bin/env wish (len=20), ["Tcl/Tk script text executable"], swap_endian=0
+signature file-magic-auto491 {
+	file-mime "text/x-tcl", 50
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv wish)/
+}
+
+# >0  beshort&,=-26367 (0x9901), ["GPG key public ring"], swap_endian=0
+signature file-magic-auto492 {
+	file-mime "application/x-gnupg-keyring", 50
+	file-magic /(\x99\x01)/
+}
+
+# >0  string,=\367\002 (len=2), ["TeX DVI file"], swap_endian=0
+signature file-magic-auto493 {
+	file-mime "application/x-dvi", 50
+	file-magic /(\xf7\x02)/
+}
+
+# >2  string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0
+signature file-magic-auto494 {
+	file-mime "application/x-tex-tfm", 50
+	file-magic /(.{2})(\x00\x11)/
+}
+
+# >2  string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0
+signature file-magic-auto495 {
+	file-mime "application/x-tex-tfm", 50
+	file-magic /(.{2})(\x00\x12)/
+}
+
+# >0  beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0
+signature file-magic-auto496 {
+	file-mime "text/PGP", 50
+	file-magic /(\x85\x02)/
+}
+
+# >4  string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0
+signature file-magic-auto497 {
+	file-mime "image/jp2", 50
+	file-magic /(.{4})(jP)/
+}
+
+# >0  regex,=^template[ \t\n]+ (len=15), ["C++ source text"], swap_endian=0
+signature file-magic-auto498 {
+	file-mime "text/x-c++", 50
+	file-magic /(^template[ \x09\x0a]+)/
+}
+
+# >0  search/c/1,=<?php (len=5), ["PHP script text"], swap_endian=0
+signature file-magic-auto499 {
+	file-mime "text/x-php", 50
+	file-magic /(.*)(\x3c\x3f[pP][hH][pP])/
+}
+
+# >0  string,=\037\235 (len=2), ["compress'd data"], swap_endian=0
+signature file-magic-auto500 {
+	file-mime "application/x-compress", 50
+	file-magic /(\x1f\x9d)/
+}
+
+# >0  string,=\037\036 (len=2), ["packed data"], swap_endian=0
+signature file-magic-auto501 {
+	file-mime "application/octet-stream", 50
+	file-magic /(\x1f\x1e)/
+}
+
+# >0  short&,=7967 (0x1f1f), ["old packed data"], swap_endian=0
+signature file-magic-auto502 {
+	file-mime "application/octet-stream", 50
+	file-magic /((\x1f\x1f)|(\x1f\x1f))/
+}
+
+# >0  short&,=8191 (0x1fff), ["compacted data"], swap_endian=0
+signature file-magic-auto503 {
+	file-mime "application/octet-stream", 50
+	file-magic /((\xff\x1f)|(\x1f\xff))/
+}
+
+# >0  string,=\377\037 (len=2), ["compacted data"], swap_endian=0
+signature file-magic-auto504 {
+	file-mime "application/octet-stream", 50
+	file-magic /(\xff\x1f)/
+}
+
+# >0  short&,=-13563 (0xcb05), ["huf output"], swap_endian=0
+signature file-magic-auto505 {
+	file-mime "application/octet-stream", 50
+	file-magic /((\x05\xcb)|(\xcb\x05))/
+}
+
+# >34  string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0
+signature file-magic-auto506 {
+	file-mime "application/vnd.ms-fontobject", 50
+	file-magic /(.{34})(LP)/
+}
+
+# >0  beshort&,=2935 (0x0b77), ["ATSC A/52 aka AC-3 aka Dolby Digital stream,"], swap_endian=0
+signature file-magic-auto507 {
+	file-mime "audio/vnd.dolby.dd-raw", 50
+	file-magic /(\x0b\x77)/
+}
+
+# >0  search/1,=#!/usr/bin/env node (len=19), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto508 {
+	file-mime "application/javascript", 49
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv node)/
+}
+
+# >0  search/1,=#!/usr/bin/env wish (len=19), ["Tcl/Tk script text executable"], swap_endian=0
+signature file-magic-auto509 {
+	file-mime "text/x-tcl", 49
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv wish)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.asciiz (len=19), ["assembler source text"], swap_endian=0
+signature file-magic-auto510 {
+	file-mime "text/x-asm", 49
+	file-magic /(^[ \x09]{0,50}\.asciiz)/
+}
+
+# >0  search/1,=#!/usr/bin/env perl (len=19), ["Perl script text executable"], swap_endian=0
+signature file-magic-auto511 {
+	file-mime "text/x-perl", 49
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv perl)/
+}
+
+# >0  search/Wct/4096,=<!doctype html (len=14), ["HTML document text"], swap_endian=0
+signature file-magic-auto512 {
+	file-mime "text/html", 49
+	file-magic /(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
+}
+
+# >0  regex,=^virtual[ \t\n]+ (len=14), ["C++ source text"], swap_endian=0
+signature file-magic-auto513 {
+	file-mime "text/x-c++", 49
+	file-magic /(^virtual[ \x09\x0a]+)/
+}
+
+# >0  search/1,=#! /usr/bin/env lua (len=19), ["Lua script text executable"], swap_endian=0
+signature file-magic-auto514 {
+	file-mime "text/x-lua", 49
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/
+}
+
+# >0  search/1,=#!/usr/bin/env ruby (len=19), ["Ruby script text executable"], swap_endian=0
+signature file-magic-auto515 {
+	file-mime "text/x-ruby", 49
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv ruby)/
+}
+
+# >0  search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0
+signature file-magic-auto516 {
+	file-mime "text/x-tcl", 49
+	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv tcl)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0
+signature file-magic-auto517 {
+	file-mime "text/x-asm", 48
+	file-magic /(^[ \x09]{0,50}\.globl)/
+}
+
+# >0  search/1,=#!/usr/bin/env tcl (len=18), ["Tcl script text executable"], swap_endian=0
+signature file-magic-auto518 {
+	file-mime "text/x-tcl", 48
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv tcl)/
+}
+
+# >0  search/1,=#!/usr/bin/env lua (len=18), ["Lua script text executable"], swap_endian=0
+signature file-magic-auto519 {
+	file-mime "text/x-lua", 48
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/
+}
+
+# >0  search/w/1,=#! /usr/bin/python (len=18), ["Python script text executable"], swap_endian=0
+signature file-magic-auto520 {
+	file-mime "text/x-python", 48
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fpython)/
+}
+
+# >0  search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto521 {
+	file-mime "application/javascript", 47
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnodejs)/
+}
+
+# >0  regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0
+signature file-magic-auto522 {
+	file-mime "text/x-c++", 47
+	file-magic /(^class[ \x09\x0a]+)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0
+signature file-magic-auto523 {
+	file-mime "text/x-asm", 47
+	file-magic /(^[ \x09]{0,50}\.text)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0
+signature file-magic-auto524 {
+	file-mime "text/x-asm", 47
+	file-magic /(^[ \x09]{0,50}\.even)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0
+signature file-magic-auto525 {
+	file-mime "text/x-asm", 47
+	file-magic /(^[ \x09]{0,50}\.byte)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0
+signature file-magic-auto526 {
+	file-mime "text/x-asm", 47
+	file-magic /(^[ \x09]{0,50}\.file)/
+}
+
+# >0  regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0
+signature file-magic-auto527 {
+	file-mime "text/x-asm", 47
+	file-magic /(^[ \x09]{0,50}\.type)/
+}
+
+# >0  search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0
+signature file-magic-auto528 {
+	file-mime "text/x-info", 47
+	file-magic /(.*)(This is Info file)/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0
+# >>>>&0  ubyte&,=0x5b, ["INItialization configuration"], swap_endian=0
+signature file-magic-auto529 {
+	file-mime "application/x-wine-extension-ini", 40
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x5b])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0
+# >>>>&0  ubyte&,!0x5b, ["Microsoft Windows Autorun file"], swap_endian=0
+signature file-magic-auto530 {
+	file-mime "application/x-setupscript", 1
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(version|strings)] (len=19), ["Windows setup INFormation"], swap_endian=0
+signature file-magic-auto531 {
+	file-mime "application/x-setupscript", 49
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([vV][eE][rR][sS][iI][oO][nN]|[sS][tT][rR][iI][nN][gG][sS])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0
+signature file-magic-auto532 {
+	file-mime "text/inf", 55
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] (len=51), ["Windows desktop.ini"], swap_endian=0
+signature file-magic-auto533 {
+	file-mime "application/x-wine-extension-ini", 81
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^(.[Ss][hH][eE][lL][lL][Cc][lL][aA][sS][sS][Ii][nN][fF][oO]|[Dd][eE][lL][eE][tT][eE][Oo][nN][Cc][oO][pP][yY]|[Ll][oO][cC][aA][lL][iI][zZ][eE][dD][Ff][iI][lL][eE][Nn][aA][mM][eE][sS])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(don't load)] (len=14), ["Windows CONTROL.INI"], swap_endian=0
+signature file-magic-auto534 {
+	file-mime "application/x-wine-extension-ini", 44
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([dD][oO][nN]'[tT] [lL][oO][aA][dD])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(ndishlp\$|protman\$|NETBEUI\$)] (len=33), ["Windows PROTOCOL.INI"], swap_endian=0
+signature file-magic-auto535 {
+	file-mime "application/x-wine-extension-ini", 63
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([nN][dD][iI][sS][hH][lL][pP]\$|[pP][rR][oO][tT][mM][aA][nN]\$|[Nn][Ee][Tt][Bb][Ee][Uu][Ii]\$)])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(windows|Compatibility|embedding)] (len=35), ["Windows WIN.INI"], swap_endian=0
+signature file-magic-auto536 {
+	file-mime "application/x-wine-extension-ini", 65
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([wW][iI][nN][dD][oO][wW][sS]|[Cc][oO][mM][pP][aA][tT][iI][bB][iI][lL][iI][tT][yY]|[eE][mM][bB][eE][dD][dD][iI][nN][gG])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(boot|386enh|drivers)] (len=23), ["Windows SYSTEM.INI"], swap_endian=0
+signature file-magic-auto537 {
+	file-mime "application/x-wine-extension-ini", 53
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT]|386[eE][nN][hH]|[dD][rR][iI][vV][eE][rR][sS])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(SafeList)] (len=12), ["Windows IOS.INI"], swap_endian=0
+signature file-magic-auto538 {
+	file-mime "application/x-wine-extension-ini", 42
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ss][aA][fF][eE][Ll][iI][sS][tT])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  regex/c,=^(boot loader)] (len=15), ["Windows boot.ini"], swap_endian=0
+signature file-magic-auto539 {
+	file-mime "application/x-wine-extension-ini", 45
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT] [lL][oO][aA][dD][eE][rR])])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0
+# >>>>&0  ubequad&ffdfffdfffdfffff,=20548012607406173 (0x0049004f004e005d), ["Windows setup INFormation "], swap_endian=0
+signature file-magic-auto540 {
+	file-mime "application/x-setupscript", 110
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  ubequad&ffdfffdfffdfffdf,=23362783849611337 (0x0053005400520049), [""], swap_endian=0
+# >>>>&0  ubequad&ffdfffdfffdfffff,=21955353131548765 (0x004e00470053005d), ["Windows setup INFormation "], swap_endian=0
+signature file-magic-auto541 {
+	file-mime "application/x-setupscript", 110
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(\x00[\x53\x73]\x00[\x54\x74]\x00[\x52\x72]\x00[\x49\x69)(\x00[\x4e\x6e]\x00[\x47\x67]\x00[\x53\x73]\x00\x5d)/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  default&,x, [""], swap_endian=0
+# >>>>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>>>&0  string/c,=version (len=7), ["Windows setup INFormation "], swap_endian=0
+signature file-magic-auto542 {
+	file-mime "application/x-setupscript", 100
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)([vV][eE][rR][sS][iI][oO][nN])/
+}
+
+# >0  regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0
+# >>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>&0  default&,x, [""], swap_endian=0
+# >>>>&0  search/8192,=[ (len=1), [""], swap_endian=0
+# >>>>>&0  ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0
+# >>>>>>&0  ubequad&ffdfffdfffdfffff,=20548012607406173 (0x0049004f004e005d), ["Windows setup INFormation "], swap_endian=0
+signature file-magic-auto543 {
+	file-mime "application/x-setupscript", 110
+	file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/
+}
+
+# >0  search/1,=<MakerDictionary (len=16), ["FrameMaker Dictionary text"], swap_endian=0
+signature file-magic-auto544 {
+	file-mime "application/x-mif", 46
+	file-magic /(.*)(\x3cMakerDictionary)/
+}
+
+# >0  search/w/1,=#! /usr/bin/wish (len=16), ["Tcl/Tk script text executable"], swap_endian=0
+signature file-magic-auto545 {
+	file-mime "text/x-tcl", 46
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/
+}
+
+# >0  search/w/1,=#! /usr/bin/ruby (len=16), ["Ruby script text executable"], swap_endian=0
+signature file-magic-auto546 {
+	file-mime "text/x-ruby", 46
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fruby)/
+}
+
+# >0  search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0
+signature file-magic-auto547 {
+	file-mime "text/x-lua", 45
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2flua)/
+}
+
+# >0  search/w/1,=#! /usr/bin/tcl (len=15), ["Tcl script text executable"], swap_endian=0
+signature file-magic-auto548 {
+	file-mime "text/x-tcl", 45
+	file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2ftcl)/
+}
+
+# >0  search/wct/4096,=<head (len=5), ["HTML document text"], swap_endian=0
+signature file-magic-auto549 {
+	file-mime "text/html", 45
+	file-magic /(.*)(\x3c[hH][eE][aA][dD])/
+}
+
+# >0  search/wct/4096,=<html (len=5), ["HTML document text"], swap_endian=0
+signature file-magic-auto550 {
+	file-mime "text/html", 45
+	file-magic /(.*)(\x3c[hH][tT][mM][lL])/
+}
+
+# >0  search/w/1,=#!/usr/bin/node (len=15), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto551 {
+	file-mime "application/javascript", 45
+	file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnode)/
+}
+
+# >0  search/wct/1,=<?xml (len=5), ["XML document text"], swap_endian=0
+signature file-magic-auto552 {
+	file-mime "application/xml", 45
+	file-magic /(.*)(\x3c\x3f[xX][mM][lL])/
+}
+
+# >0  search/1,=\input texinfo (len=14), ["Texinfo source text"], swap_endian=0
+signature file-magic-auto553 {
+	file-mime "text/x-texinfo", 44
+	file-magic /(.*)(\x5cinput texinfo)/
+}
+
+# >0  regex,=^private: (len=9), ["C++ source text"], swap_endian=0
+signature file-magic-auto554 {
+	file-mime "text/x-c++", 44
+	file-magic /(^private:)/
+}
+
+# >0  search/4096,=def __init__ (len=12), [""], swap_endian=0
+# >>&0  search/64,=self (len=4), ["Python script text executable"], swap_endian=0
+signature file-magic-auto555 {
+	file-mime "text/x-python", 38
+	file-magic /(.*)(def \x5f\x5finit\x5f\x5f)(.*)(self)/
+}
+
+# >0  search/wct/4096,=<a href= (len=8), ["HTML document text"], swap_endian=0
+signature file-magic-auto556 {
+	file-mime "text/html", 43
+	file-magic /(.*)(\x3c[aA] ?[hH][rR][eE][fF]\x3d)/
+}
+
+# >0  regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0
+signature file-magic-auto557 {
+	file-mime "text/x-c", 43
+	file-magic /(^extern[ \x09\x0a]+)/
+}
+
+# >0  search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0
+signature file-magic-auto558 {
+	file-mime "text/x-tex", 43
+	file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/
+}
+
+# >0  regex,=^double[ \t\n]+ (len=13), ["C source text"], swap_endian=0
+signature file-magic-auto559 {
+	file-mime "text/x-c", 43
+	file-magic /(^double[ \x09\x0a]+)/
+}
+
+# >0  regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0
+signature file-magic-auto560 {
+	file-mime "text/x-c", 43
+	file-magic /(^struct[ \x09\x0a]+)/
+}
+
+# >0  search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto561 {
+	file-mime "application/javascript", 43
+	file-magic /(.*)(\x23\x21\x2fbin\x2fnodejs)/
+}
+
+# >0  regex,=^public: (len=8), ["C++ source text"], swap_endian=0
+signature file-magic-auto562 {
+	file-mime "text/x-c++", 43
+	file-magic /(^public:)/
+}
+
+# >0  search/wct/4096,=<script (len=7), ["HTML document text"], swap_endian=0
+signature file-magic-auto563 {
+	file-mime "text/html", 42
+	file-magic /(.*)(\x3c[sS][cC][rR][iI][pP][tT])/
+}
+
+# >0  regex,=^float[ \t\n]+ (len=12), ["C source text"], swap_endian=0
+signature file-magic-auto564 {
+	file-mime "text/x-c", 42
+	file-magic /(^float[ \x09\x0a]+)/
+}
+
+# >0  regex,=^union[ \t\n]+ (len=12), ["C source text"], swap_endian=0
+signature file-magic-auto565 {
+	file-mime "text/x-c", 42
+	file-magic /(^union[ \x09\x0a]+)/
+}
+
+# The use of non-sequential offsets and relational operations made the
+# autogenerated signature incorrrect.
+# >0  belong&,>100 (0x00000064), [""], swap_endian=0
+# >>8  belong&,<3 (0x00000003), [""], swap_endian=0
+# >>>12  belong&,<33 (0x00000021), [""], swap_endian=0
+# >>>>4  belong&,=7 (0x00000007), ["XWD X Window Dump image data"], swap_endian=0
+#signature file-magic-auto566 {
+#	file-mime "image/x-xwindowdump", 70
+#	file-magic /(.{4})(.{4})(.{4})(.{4})(.*)(\x00\x00\x00\x07)/
+#}
+
+# >0  search/wct/4096,=<title (len=6), ["HTML document text"], swap_endian=0
+signature file-magic-auto567 {
+	file-mime "text/html", 41
+	file-magic /(.*)(\x3c[tT][iI][tT][lL][eE])/
+}
+
+# >0  regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0
+signature file-magic-auto568 {
+	file-mime "text/x-c", 41
+	file-magic /(^char[ \x09\x0a]+)/
+}
+
+# >0  search/1,=#! (len=2), [""], swap_endian=0
+# >>0  regex,=^#!.*/bin/perl$ (len=15), ["Perl script text executable"], swap_endian=0
+signature file-magic-auto569 {
+	file-mime "text/x-perl", 45
+	file-magic /(^#!.*\x2fbin\x2fperl$)/
+}
+
+# >0  search/w/1,=#!/bin/node (len=11), ["Node.js script text executable"], swap_endian=0
+signature file-magic-auto570 {
+	file-mime "application/javascript", 41
+	file-magic /(.*)(\x23\x21\x2fbin\x2fnode)/
+}
+
+# Too much use of bitmasking and relational comparisons and non-sequential
+# offsets for this to be autogenerated.  (Also, the depth isn't displayed
+# correctly in the debug output below: it reached a depth that exceeded
+# the code's ability to display the full amount of '>'s).
+# >0  ubelong&0000ffff,<3104 (0x00000c20), [""], swap_endian=0
+# >>2  ubyte&,>0x00, [""], swap_endian=0
+# >>>3  ubyte&,>0x00, [""], swap_endian=0
+# >>>>3  ubyte&,<0x20, [""], swap_endian=0
+# >>>>>0  ubyte&,>0x01, [""], swap_endian=0
+# >>>>>>27  ubyte&,=0x00, [""], swap_endian=0
+# >>>>>>>24  ubelong&ffffffff,<19931137 (0x01302001), [""], swap_endian=0
+# >>>>>>>>24  ubelong&ffffffff,=0 (0x00000000), [""], swap_endian=0
+# >12  ubelong&fffffefe,=0 (0x00000000), [""], swap_endian=0
+# >>28  ubyte&000000f8,=0x00, [""], swap_endian=0
+# >>>8  uleshort&,>31 (0x001f), [""], swap_endian=0
+# >>>>32  ubyte&,>0x00, [""], swap_endian=0
+#signature file-magic-auto571 {
+#	file-mime "application/x-dbf", 11
+#	file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])(.*)([\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{26})([\x00])(.*)(.{4})(.*)(.{4})(.*)(.{4})(.{12})([\x00\x01\x02\x03\x04\x05\x06\x07])(.*)(.{2})(.{22})([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+#}
+
+# >0  search/wct/4096,=<table (len=6), ["HTML document text"], swap_endian=0
+signature file-magic-auto572 {
+	file-mime "text/html", 41
+	file-magic /(.*)(\x3c[tT][aA][bB][lL][eE])/
+}
+
+# >0  string/t,=@ (len=1), [""], swap_endian=0
+# >>1  string/Wc,= echo off (len=9), ["DOS batch file text"], swap_endian=0
+signature file-magic-auto573 {
+	file-mime "text/x-msdos-batch", 120
+	file-magic /(\x40)( {1,}[eE][cC][hH][oO] {1,}[oO][fF][fF])/
+}
+
+# >0  string/t,=@ (len=1), [""], swap_endian=0
+# >>1  string/Wc,=echo off (len=8), ["DOS batch file text"], swap_endian=0
+signature file-magic-auto574 {
+	file-mime "text/x-msdos-batch", 110
+	file-magic /(\x40)([eE][cC][hH][oO] {1,}[oO][fF][fF])/
+}
+
+# >0  string/t,=@ (len=1), [""], swap_endian=0
+# >>1  string/Wc,=rem (len=3), ["DOS batch file text"], swap_endian=0
+signature file-magic-auto575 {
+	file-mime "text/x-msdos-batch", 60
+	file-magic /(\x40)([rR][eE][mM])/
+}
+
+# >0  string/t,=@ (len=1), [""], swap_endian=0
+# >>1  string/Wc,=set  (len=4), ["DOS batch file text"], swap_endian=0
+signature file-magic-auto576 {
+	file-mime "text/x-msdos-batch", 70
+	file-magic /(\x40)([sS][eE][tT] {1,})/
+}
+
+# >0  search/wct/4096,=<style (len=6), ["HTML document text"], swap_endian=0
+signature file-magic-auto577 {
+	file-mime "text/html", 41
+	file-magic /(.*)(\x3c[sS][tT][yY][lL][eE])/
+}
+
+# >0  regex,=^dnl  (len=5), ["M4 macro processor script text"], swap_endian=0
+signature file-magic-auto578 {
+	file-mime "text/x-m4", 40
+	file-magic /(^dnl )/
+}
+
+# >0  regex,=^all: (len=5), ["makefile script text"], swap_endian=0
+signature file-magic-auto579 {
+	file-mime "text/x-makefile", 40
+	file-magic /(^all:)/
+}
+
+# >0  regex,=^.PRECIOUS (len=10), ["makefile script text"], swap_endian=0
+signature file-magic-auto580 {
+	file-mime "text/x-makefile", 40
+	file-magic /(^.PRECIOUS)/
+}
+
+# >0  search/8192,=main( (len=5), ["C source text"], swap_endian=0
+signature file-magic-auto581 {
+	file-mime "text/x-c", 40
+	file-magic /(.*)(main\x28)/
+}
+
+# >0  search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto582 {
+	file-mime "text/troff", 40
+	file-magic /(.*)(\x5c\x22)/
+}
+
+# >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto583 {
+	file-mime "text/x-lisp", 40
+	file-magic /(.*)(\x28defparam )/
+}
+
+# >0  search/4096,=(autoload  (len=10), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto584 {
+	file-mime "text/x-lisp", 40
+	file-magic /(.*)(\x28autoload )/
+}
+
+# >0  search/1,=diff  (len=5), ["diff output text"], swap_endian=0
+signature file-magic-auto585 {
+	file-mime "text/x-diff", 40
+	file-magic /(.*)(diff )/
+}
+
+# >0  regex,=^#include (len=9), ["C source text"], swap_endian=0
+signature file-magic-auto586 {
+	file-mime "text/x-c", 39
+	file-magic /(^#include)/
+}
+
+# >0  search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto587 {
+	file-mime "text/troff", 39
+	file-magic /(.*)(\x2e\x5c\x22)/
+}
+
+# >0  search/1,='\" (len=3), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto588 {
+	file-mime "text/troff", 39
+	file-magic /(.*)(\x27\x5c\x22)/
+}
+
+# >0  search/1,=<TeXmacs| (len=9), ["TeXmacs document text"], swap_endian=0
+signature file-magic-auto589 {
+	file-mime "text/texmacs", 39
+	file-magic /(.*)(\x3cTeXmacs\x7c)/
+}
+
+# >0  search/1,=/* XPM */ (len=9), ["X pixmap image text"], swap_endian=0
+signature file-magic-auto590 {
+	file-mime "image/x-xpmi", 39
+	file-magic /(.*)(\x2f\x2a XPM \x2a\x2f)/
+}
+
+# >0  search/1,=<?\n (len=3), ["PHP script text"], swap_endian=0
+signature file-magic-auto591 {
+	file-mime "text/x-php", 39
+	file-magic /(.*)(\x3c\x3f\x0a)/
+}
+
+# >0  search/1,=<?\r (len=3), ["PHP script text"], swap_endian=0
+signature file-magic-auto592 {
+	file-mime "text/x-php", 39
+	file-magic /(.*)(\x3c\x3f\x0d)/
+}
+
+# >0  search/1,=''' (len=3), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto593 {
+	file-mime "text/troff", 39
+	file-magic /(.*)(\x27\x27\x27)/
+}
+
+# >0  search/4096,=try: (len=4), [""], swap_endian=0
+# >>&0  regex,=^\s*except.*: (len=13), ["Python script text executable"], swap_endian=0
+signature file-magic-auto594 {
+	file-mime "text/x-python", 43
+	file-magic /(.*)(try\x3a)(^\s*except.*:)/
+}
+
+# >0  search/4096,=try: (len=4), [""], swap_endian=0
+# >>&0  search/4096,=finally: (len=8), ["Python script text executable"], swap_endian=0
+signature file-magic-auto595 {
+	file-mime "text/x-python", 38
+	file-magic /(.*)(try\x3a)(.*)(finally\x3a)/
+}
+
+# >0  search/8192,="LIBHDR" (len=8), ["BCPL source text"], swap_endian=0
+signature file-magic-auto596 {
+	file-mime "text/x-bcpl", 38
+	file-magic /(.*)(\x22LIBHDR\x22)/
+}
+
+# >0  regex,=^SUBDIRS (len=8), ["automake makefile script text"], swap_endian=0
+signature file-magic-auto597 {
+	file-mime "text/x-makefile", 38
+	file-magic /(^SUBDIRS)/
+}
+
+# >0  search/4096,=(defvar  (len=8), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto598 {
+	file-mime "text/x-lisp", 38
+	file-magic /(.*)(\x28defvar )/
+}
+
+# >0  regex,=^program (len=8), ["Pascal source text"], swap_endian=0
+signature file-magic-auto599 {
+	file-mime "text/x-pascal", 38
+	file-magic /(^program)/
+}
+
+# >0  search/1,=Only in  (len=8), ["diff output text"], swap_endian=0
+signature file-magic-auto600 {
+	file-mime "text/x-diff", 38
+	file-magic /(.*)(Only in )/
+}
+
+# >0  search/1,=***  (len=4), ["diff output text"], swap_endian=0
+signature file-magic-auto601 {
+	file-mime "text/x-diff", 38
+	file-magic /(.*)(\x2a\x2a\x2a )/
+}
+
+# >0  search/1,='.\" (len=4), ["troff or preprocessor input text"], swap_endian=0
+signature file-magic-auto602 {
+	file-mime "text/troff", 38
+	file-magic /(.*)(\x27\x2e\x5c\x22)/
+}
+
+# >0  regex,=^LDFLAGS (len=8), ["makefile script text"], swap_endian=0
+signature file-magic-auto603 {
+	file-mime "text/x-makefile", 38
+	file-magic /(^LDFLAGS)/
+}
+
+# >0  search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0
+signature file-magic-auto604 {
+	file-mime "text/x-bcpl", 38
+	file-magic /(.*)(\x22libhdr\x22)/
+}
+
+# >0  regex,=^record (len=7), ["Pascal source text"], swap_endian=0
+signature file-magic-auto605 {
+	file-mime "text/x-pascal", 37
+	file-magic /(^record)/
+}
+
+# >0  regex,=^CFLAGS (len=7), ["makefile script text"], swap_endian=0
+signature file-magic-auto606 {
+	file-mime "text/x-makefile", 37
+	file-magic /(^CFLAGS)/
+}
+
+# >0  search/4096,=(defun  (len=7), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto607 {
+	file-mime "text/x-lisp", 37
+	file-magic /(.*)(\x28defun )/
+}
+
+# >0  regex,=^msgid  (len=7), ["GNU gettext message catalogue text"], swap_endian=0
+signature file-magic-auto608 {
+	file-mime "text/x-po", 37
+	file-magic /(^msgid )/
+}
+
+# >0  search/8192,=(input, (len=7), ["Pascal source text"], swap_endian=0
+signature file-magic-auto609 {
+	file-mime "text/x-pascal", 37
+	file-magic /(.*)(\x28input\x2c)/
+}
+
+# >0  search/1,=Index: (len=6), ["RCS/CVS diff output text"], swap_endian=0
+signature file-magic-auto610 {
+	file-mime "text/x-diff", 36
+	file-magic /(.*)(Index\x3a)/
+}
+
+# >0  search/4096,=(setq  (len=6), ["Lisp/Scheme program text"], swap_endian=0
+signature file-magic-auto611 {
+	file-mime "text/x-lisp", 36
+	file-magic /(.*)(\x28setq )/
+}
+
+# >0  regex/100,=^[Cc][ \t] (len=9), ["FORTRAN program"], swap_endian=0
+signature file-magic-auto612 {
+	file-mime "text/x-fortran", 34
+	file-magic /(^[Cc][ \x09])/
+}
+
+# >0  search/wt/1,=<?XML (len=5), ["broken XML document text"], swap_endian=0
+signature file-magic-auto613 {
+	file-mime "application/xml", 30
+	file-magic /(.*)(\x3c\x3fXML)/
+}
+
+# >0  search/wtb/1,=<?xml (len=5), ["XML document text"], swap_endian=0
+signature file-magic-auto614 {
+	file-mime "application/xml", 30
+	file-magic /(.*)(\x3c\x3fxml)/
+}
+
+# >0  regex,^import.*;$ (len=10), ["Java source"], swap_endian=0
+signature file-magic-auto615 {
+	file-mime "text/x-java", 20
+	file-magic /(import.*;$)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x01, ["LSB"], swap_endian=0
+# >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=0
+signature file-magic-auto616 {
+	file-mime "application/octet-stream", 50
+	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x00\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x02, ["MSB"], swap_endian=0
+# >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=1
+signature file-magic-auto617 {
+	file-mime "application/octet-stream", 50
+	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x01, ["LSB"], swap_endian=0
+# >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=0
+signature file-magic-auto618 {
+	file-mime "application/x-object", 50
+	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x01\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x02, ["MSB"], swap_endian=0
+# >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=1
+signature file-magic-auto619 {
+	file-mime "application/x-object", 50
+	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x01)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x01, ["LSB"], swap_endian=0
+# >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=0
+signature file-magic-auto620 {
+	file-mime "application/x-executable", 50
+	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x02\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x02, ["MSB"], swap_endian=0
+# >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=1
+signature file-magic-auto621 {
+	file-mime "application/x-executable", 50
+	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x02)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x01, ["LSB"], swap_endian=0
+# >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=0
+signature file-magic-auto622 {
+	file-mime "application/x-sharedlib", 50
+	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x03\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x02, ["MSB"], swap_endian=0
+# >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=1
+signature file-magic-auto623 {
+	file-mime "application/x-sharedlib", 50
+	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x03)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x01, ["LSB"], swap_endian=0
+# >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=0
+signature file-magic-auto624 {
+	file-mime "application/x-coredump", 50
+	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x04\x00)/
+}
+
+# >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
+# >>5  byte&,=0x02, ["MSB"], swap_endian=0
+# >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=1
+signature file-magic-auto625 {
+	file-mime "application/x-coredump", 50
+	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x04)/
+}
+
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 46a838e8ae..6fc8c4f8f7 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -60,6 +60,23 @@ type addr_vec: vector of addr;
 ##    directly and then remove this alias.
 type table_string_of_string: table[string] of string;
 
+## A structure indicating a MIME type and strength of a match against
+## file magic signatures.
+##
+## :bro:see:`file_magic`
+type mime_match: record {
+	strength: int;    ##< How strongly the signature matched.  Used for
+	                  ##< prioritization when multiple file magic signatures
+	                  ##< match.
+	mime:     string; ##< The MIME type of the file magic signature match.
+};
+
+## A vector of file magic signature matches, ordered by strength of
+## the signature, strongest first.
+##
+## :bro:see:`file_magic`
+type mime_matches: vector of mime_match;
+
 ## A connection's transport-layer protocol. Note that Bro uses the term
 ## "connection" broadly, using flow semantics for ICMP and UDP.
 type transport_proto: enum {
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d87574f4e5..856953a619 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -58,6 +58,5 @@
 @load base/files/extract
 @load base/files/unified2
 
-
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ecf8683ddd..34d7b4d6c6 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -387,9 +387,6 @@ install(TARGETS bro DESTINATION bin)
 set(BRO_EXE bro
     CACHE STRING "Bro executable binary" FORCE)
 
-# External libmagic project must be built before bro.
-add_dependencies(bro libmagic)
-
 # Target to create all the autogenerated files.
 add_custom_target(generate_outputs_stage1)
 add_dependencies(generate_outputs_stage1 ${bro_ALL_GENERATED_OUTPUTS})
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 3e13728cd8..69960bb7bd 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -20,6 +20,8 @@ TableType* string_set;
 TableType* string_array;
 TableType* count_set;
 VectorType* string_vec;
+VectorType* mime_matches;
+RecordType* mime_match;
 
 int watchdog_interval;
 
@@ -330,6 +332,8 @@ void init_net_var()
 	string_set = internal_type("string_set")->AsTableType();
 	string_array = internal_type("string_array")->AsTableType();
 	string_vec = internal_type("string_vec")->AsVectorType();
+	mime_match = internal_type("mime_match")->AsRecordType();
+	mime_matches = internal_type("mime_matches")->AsVectorType();
 
 	ignore_checksums = opt_internal_int("ignore_checksums");
 	partial_connection_ok = opt_internal_int("partial_connection_ok");
diff --git a/src/NetVar.h b/src/NetVar.h
index 6a56e957ae..beb2e0bd69 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -23,6 +23,8 @@ extern TableType* string_set;
 extern TableType* string_array;
 extern TableType* count_set;
 extern VectorType* string_vec;
+extern VectorType* mime_matches;
+extern RecordType* mime_match;
 
 extern int watchdog_interval;
 
diff --git a/src/Rule.cc b/src/Rule.cc
index e9847c1721..c978b93177 100644
--- a/src/Rule.cc
+++ b/src/Rule.cc
@@ -38,7 +38,7 @@ Rule::~Rule()
 const char* Rule::TypeToString(Rule::PatternType type)
 	{
 	static const char* labels[] = {
-		"Payload", "HTTP-REQUEST", "HTTP-REQUEST-BODY",
+		"File Magic", "Payload", "HTTP-REQUEST", "HTTP-REQUEST-BODY",
 		"HTTP-REQUEST-HEADER", "HTTP-REPLY-BODY",
 		"HTTP-REPLY-HEADER", "FTP", "Finger",
 	};
diff --git a/src/Rule.h b/src/Rule.h
index e5ae703d39..8cfc3835dd 100644
--- a/src/Rule.h
+++ b/src/Rule.h
@@ -37,7 +37,7 @@ public:
 	unsigned int Index() const	{ return idx; }
 
 	enum PatternType {
-		PAYLOAD, HTTP_REQUEST, HTTP_REQUEST_BODY, HTTP_REQUEST_HEADER,
+		FILE_MAGIC, PAYLOAD, HTTP_REQUEST, HTTP_REQUEST_BODY, HTTP_REQUEST_HEADER,
 		HTTP_REPLY_BODY, HTTP_REPLY_HEADER, FTP, FINGER, TYPES,
 	};
 
diff --git a/src/RuleAction.cc b/src/RuleAction.cc
index ec57c96bd2..033c1b3806 100644
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@@ -35,6 +35,11 @@ void RuleActionEvent::PrintDebug()
 	fprintf(stderr, "	RuleActionEvent: |%s|\n", msg);
 	}
 
+void RuleActionMIME::PrintDebug()
+	{
+	fprintf(stderr, "	RuleActionMIME: |%s|\n", mime);
+	}
+
 RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer)
 	{
 	string str(arg_analyzer);
diff --git a/src/RuleAction.h b/src/RuleAction.h
index 67ceadc6f1..7b5a76fad5 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -36,6 +36,31 @@ private:
 	const char* msg;
 };
 
+class RuleActionMIME : public RuleAction {
+public:
+	RuleActionMIME(const char* arg_mime, int arg_strength = 0)
+		{ mime = copy_string(arg_mime); strength = arg_strength; }
+
+	virtual ~RuleActionMIME()
+		{ delete [] mime; }
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+	                      const u_char* data, int len)
+		{ }
+
+	virtual void PrintDebug();
+
+	string GetMIME() const
+		{ return mime; }
+
+	int GetStrength() const
+		{ return strength; }
+
+private:
+	const char* mime;
+	int strength;
+};
+
 // Base class for enable/disable actions.
 class RuleActionAnalyzer : public RuleAction {
 public:
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index c78e65ea18..65fbe5602d 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -186,6 +186,15 @@ RuleEndpointState::~RuleEndpointState()
 		delete matched_text[j];
 	}
 
+RuleFileMagicState::~RuleFileMagicState()
+	{
+	loop_over_list(matchers, i)
+		{
+		delete matchers[i]->state;
+		delete matchers[i];
+		}
+	}
+
 RuleMatcher::RuleMatcher(int arg_RE_level)
 	{
 	root = new RuleHdrTest(RuleHdrTest::NOPROT, 0, 0, RuleHdrTest::EQ,
@@ -564,6 +573,127 @@ static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a,
 	return false;
 	}
 
+RuleFileMagicState* RuleMatcher::InitFileMagic() const
+	{
+	RuleFileMagicState* state = new RuleFileMagicState();
+
+	if ( rule_bench == 3 )
+		return state;
+
+	loop_over_list(root->psets[Rule::FILE_MAGIC], i)
+		{
+		RuleHdrTest::PatternSet* set = root->psets[Rule::FILE_MAGIC][i];
+		assert(set->re);
+		RuleFileMagicState::Matcher* m = new RuleFileMagicState::Matcher;
+		m->state = new RE_Match_State(set->re);
+		state->matchers.append(m);
+		}
+
+	// Save some memory.
+	state->matchers.resize(0);
+	return state;
+	}
+
+RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
+                                              const u_char* data, uint64 len,
+                                              MIME_Matches* rval) const
+	{
+	if ( ! rval )
+		rval = new MIME_Matches();
+
+	if ( ! state )
+		{
+		reporter->Warning("RuleFileMagicState not initialized yet.");
+		return rval;
+		}
+
+	if ( rule_bench >= 2 )
+		return rval;
+
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_RULES) )
+		{
+		const char* s = fmt_bytes(reinterpret_cast<const char*>(data),
+		                          min(40, static_cast<int>(len)));
+		DBG_LOG(DBG_RULES, "Matching %s rules on |%s%s|",
+		        Rule::TypeToString(Rule::FILE_MAGIC), s,
+		        len > 40 ? "..." : "");
+		}
+#endif
+
+	bool newmatch = false;
+
+	loop_over_list(state->matchers, x)
+		{
+		RuleFileMagicState::Matcher* m = state->matchers[x];
+
+		if ( m->state->Match(data, len, true, false, true) )
+			newmatch = true;
+		}
+
+	if ( ! newmatch )
+		return rval;
+
+	DBG_LOG(DBG_RULES, "New pattern match found");
+
+	AcceptingSet accepted;
+	int_list matchpos;
+
+	loop_over_list(state->matchers, y)
+		{
+		RuleFileMagicState::Matcher* m = state->matchers[y];
+		const AcceptingSet* ac = m->state->Accepted();
+
+		loop_over_list(*ac, k)
+			{
+			if ( ! accepted.is_member((*ac)[k]) )
+				{
+				accepted.append((*ac)[k]);
+				matchpos.append((*m->state->MatchPositions())[k]);
+				}
+			}
+		}
+
+	// Find rules for which patterns have matched.
+	rule_list matched;
+
+	loop_over_list(accepted, i)
+		{
+		Rule* r = Rule::rule_table[accepted[i] - 1];
+
+		DBG_LOG(DBG_RULES, "Checking rule: %v", r->id);
+
+		loop_over_list(r->patterns, j)
+			{
+			if ( ! accepted.is_member(r->patterns[j]->id) )
+				continue;
+
+			if ( (unsigned int) matchpos[i] >
+			     r->patterns[j]->offset + r->patterns[j]->depth )
+				continue;
+
+			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
+			}
+
+		if ( ! matched.is_member(r) )
+			matched.append(r);
+		}
+
+	loop_over_list(matched, j)
+		{
+		Rule* r = matched[j];
+
+		loop_over_list(r->actions, rai)
+			{
+			const RuleActionMIME* ram = dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
+			set<string>& ss = (*rval)[ram->GetStrength()];
+			ss.insert(ram->GetMIME());
+			}
+		}
+
+	return rval;
+	}
+
 RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
 						const IP_Hdr* ip, int caplen,
 						RuleEndpointState* opposite,
@@ -1010,6 +1140,15 @@ void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
 		state->matchers[j]->state->Clear();
 	}
 
+void RuleMatcher::ClearFileMagicState(RuleFileMagicState* state) const
+	{
+	if ( rule_bench == 3 )
+		return;
+
+	loop_over_list(state->matchers, j)
+		state->matchers[j]->state->Clear();
+	}
+
 void RuleMatcher::PrintDebug()
 	{
 	loop_over_list(rules, i)
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 0d7a2fbf7c..6f222b02eb 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -3,6 +3,10 @@
 
 #include <limits.h>
 #include <vector>
+#include <map>
+#include <functional>
+#include <set>
+#include <string>
 
 #include "IPAddr.h"
 #include "BroString.h"
@@ -191,6 +195,31 @@ private:
 	int_list matched_rules;		// Rules for which all conditions have matched
 };
 
+/**
+ * A state object used for matching file magic signatures.
+ */
+class RuleFileMagicState {
+friend class RuleMatcher;
+public:
+
+	~RuleFileMagicState();
+
+private:
+
+	// Ctor is private; use RuleMatcher::InitFileMagic() for instantiation.
+	RuleFileMagicState()
+		{ }
+
+	struct Matcher {
+		RE_Match_State* state;
+	};
+
+	declare(PList, Matcher);
+	typedef PList(Matcher) matcher_list;
+
+	matcher_list matchers;
+};
+
 
 // RuleMatcher is the main class which builds up the data structures
 // and performs the actual matching.
@@ -205,6 +234,42 @@ public:
 	// Parse the given files and built up data structures.
 	bool ReadFiles(const name_list& files);
 
+	/**
+	 * Inititialize a state object for matching file magic signatures.
+	 * @return A state object that can be used for file magic mime type
+	 *         identification.
+	 */
+	RuleFileMagicState* InitFileMagic() const;
+
+	/**
+	 * Data structure containing a set of matching file magic signatures.
+	 * Ordered from greatest to least strength.  Matches of the same strength
+	 * will be in the set in lexicographic order of the MIME type string.
+	 */
+	typedef map<int, set<string>, std::greater<int> > MIME_Matches;
+
+	/**
+	 * Matches a chunk of data against file magic signatures.
+	 * @param state A state object previously returned from
+	 *              RuleMatcher::InitFileMagic()
+	 * @param data Chunk of data to match signatures against.
+	 * @param len Length of \a data in bytes.
+	 * @param matches An optional pre-existing match result object to
+	 *                modify with additional matches.  If it's a null
+	 *                pointer, one will be instantiated and returned from
+	 *                this method.
+	 * @return The results of the signature matching.
+	 */
+	MIME_Matches* Match(RuleFileMagicState* state, const u_char* data,
+	                   uint64 len, MIME_Matches* matches = 0) const;
+
+
+	/**
+	 * Resets a state object used with matching file magic signatures.
+	 * @param state The state object to reset to an initial condition.
+	 */
+	void ClearFileMagicState(RuleFileMagicState* state) const;
+
 	// Initialize the matching state for a endpoind of a connection based on
 	// the given packet (which should be the first packet encountered for
 	// this endpoint). If the matching is triggered by an PIA, a pointer to
diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index d05e85df5d..6f6b41526a 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -3,6 +3,7 @@
 #include "File.h"
 
 #include "file_analysis/Manager.h"
+#include "RuleMatcher.h"
 #include "Reporter.h"
 #include "util.h"
 
@@ -48,14 +49,17 @@ void File_Analyzer::Done()
 
 void File_Analyzer::Identify()
 	{
-	const char* desc = bro_magic_buffer(magic_desc_cookie, buffer, buffer_len);
-	const char* mime = bro_magic_buffer(magic_mime_cookie, buffer, buffer_len);
-
+	RuleFileMagicState* fms = rule_matcher->InitFileMagic();
+	RuleMatcher::MIME_Matches matches;
+	rule_matcher->Match(fms, reinterpret_cast<const u_char*>(buffer),
+	                    buffer_len, &matches);
+	string match = matches.empty() ? "<unknown>"
+	                               : *(matches.begin()->second.begin());
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(new StringVal(buffer_len, buffer));
-	vl->append(new StringVal(desc ? desc : "<unknown>"));
-	vl->append(new StringVal(mime ? mime : "<unknown>"));
+	vl->append(new StringVal("<unknown>"));
+	vl->append(new StringVal(match));
 	ConnectionEvent(file_transferred, vl);
 	}
 
diff --git a/src/analyzer/protocol/file/events.bif b/src/analyzer/protocol/file/events.bif
index 4277f1975f..ad054522ec 100644
--- a/src/analyzer/protocol/file/events.bif
+++ b/src/analyzer/protocol/file/events.bif
@@ -1,3 +1,12 @@
-## TODO.
+## Generated when a TCP connection associated w/ file data transfer is seen
+## typically (e.g. as happens w/ FTP or IRC).
 ##
+## c: The connection over which file data is transferred.
+##
+## prefix: Up to 1024 bytes of the file data.
+##
+## descr: Deprecated/unused argument.
+##
+## mime_type: MIME type of the file or "<unknown>" if no file magic signatures
+##            matched.
 event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
diff --git a/src/bro.bif b/src/bro.bif
index e772b6eadf..aea6377d91 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -835,30 +835,66 @@ function syslog%(s: string%): any
 	return 0;
 	%}
 
-%%{
-extern "C" {
-#include <magic.h>
-}
-%%}
-
-## Determines the MIME type of a piece of data using ``libmagic``.
+## Determines the MIME type of a piece of data using Bro's file magic
+## signatures.
 ##
 ## data: The data to find the MIME type for.
 ##
-## return_mime: If true, the function returns a short MIME type string (e.g.,
-##              ``text/plain`` instead of a more elaborate textual description).
+## return_mime: Deprecated argument; does nothing, except emit a warning
+##              when false.
 ##
-## Returns: The MIME type of *data*, or "<unknown>" if there was an error.
-function identify_data%(data: string, return_mime: bool%): string
+## Returns: The MIME type of *data*, or "<unknown>" if there was an error
+##          or no match.  This is the strongest signature match.
+##
+## .. bro:see:: file_magic
+function identify_data%(data: string, return_mime: bool &default=T%): string
 	%{
-	magic_t* magic = return_mime ? &magic_mime_cookie : &magic_desc_cookie;
+	if ( ! return_mime )
+		reporter->Warning("identify_data() builtin-function only returns MIME types, but verbose file info requested");
 
-	if( ! *magic )
+	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
+	rule_matcher->ClearFileMagicState(fms);
+	RuleMatcher::MIME_Matches matches;
+	rule_matcher->Match(fms, data->Bytes(), data->Len(), &matches);
+
+	if ( matches.empty() )
 		return new StringVal("<unknown>");
 
-	const char* desc = bro_magic_buffer(*magic, data->Bytes(), data->Len());
+	return new StringVal(*(matches.begin()->second.begin()));
+	%}
 
-	return new StringVal(desc ? desc : "<unknown>");
+## Determines the MIME type of a piece of data using Bro's file magic
+## signatures.
+##
+## data: The data for which to find matching MIME types.
+##
+## Returns: All matching signatures, in order of strength.
+##
+## .. bro:see:: identify_data
+function file_magic%(data: string%): mime_matches
+	%{
+	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
+	rule_matcher->ClearFileMagicState(fms);
+	RuleMatcher::MIME_Matches matches;
+	rule_matcher->Match(fms, data->Bytes(), data->Len(), &matches);
+	VectorVal* rval = new VectorVal(mime_matches);
+
+	for ( RuleMatcher::MIME_Matches::const_iterator it = matches.begin();
+	      it != matches.end(); ++it )
+		{
+		RecordVal* element = new RecordVal(mime_match);
+
+		for ( set<string>::const_iterator it2 = it->second.begin();
+		      it2 != it->second.end(); ++it2 )
+			{
+			element->Assign(0, new Val(it->first, TYPE_INT));
+			element->Assign(1, new StringVal(*it2));
+			}
+
+		rval->Assign(rval->Size(), element);
+		}
+
+	return rval;
 	%}
 
 ## Performs an entropy test on the given data.
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index deda0f9e93..d7cb6e09c7 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -10,6 +10,7 @@
 #include "Val.h"
 #include "Type.h"
 #include "Event.h"
+#include "RuleMatcher.h"
 
 #include "analyzer/Analyzer.h"
 #include "analyzer/Manager.h"
@@ -279,20 +280,17 @@ bool File::BufferBOF(const u_char* data, uint64 len)
 
 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
-	const char* mime = bro_magic_buffer(magic_mime_cookie, data, len);
+	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
+	rule_matcher->ClearFileMagicState(fms);
+	RuleMatcher::MIME_Matches matches;
+	rule_matcher->Match(fms, data, len, &matches);
 
-	if ( mime )
-		{
-		const char* mime_end = strchr(mime, ';');
+	if ( matches.empty() )
+		return false;
 
-		if ( mime_end )
-			// strip off charset
-			val->Assign(mime_type_idx, new StringVal(mime_end - mime, mime));
-		else
-			val->Assign(mime_type_idx, new StringVal(mime));
-		}
+	val->Assign(mime_type_idx, new StringVal(*matches.begin()->second.begin()));
 
-	return mime;
+	return true;
 	}
 
 void File::ReplayBOF()
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 6354c1c7e9..131121e9d4 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -225,11 +225,12 @@ protected:
 	void ReplayBOF();
 
 	/**
-	 * Does mime type detection and assigns type (if available) to \c mime_type
+	 * Does mime type detection via file magic signatures and assigns
+	 * strongest matching mime type (if available) to \c mime_type
 	 * field in #val.
 	 * @param data pointer to a chunk of file data.
 	 * @param len number of bytes in the data chunk.
-	 * @return whether mime type was available.
+	 * @return whether a mime type match was found.
 	 */
 	bool DetectMIME(const u_char* data, uint64 len);
 
diff --git a/src/main.cc b/src/main.cc
index 53a0cb20ee..a701e5abe1 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -23,7 +23,6 @@ extern "C" {
 #endif
 
 #include <openssl/md5.h>
-#include <magic.h>
 
 extern "C" void OPENSSL_add_all_algorithms_conf(void);
 
@@ -69,9 +68,6 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 
 Brofiler brofiler;
 
-magic_t magic_desc_cookie = 0;
-magic_t magic_mime_cookie = 0;
-
 #ifndef HAVE_STRSEP
 extern "C" {
 char* strsep(char**, const char*);
@@ -218,7 +214,6 @@ void usage()
 #endif
 
 	fprintf(stderr, "    $BROPATH                       | file search path (%s)\n", bro_path());
-	fprintf(stderr, "    $BROMAGIC                      | libmagic mime magic database search path (%s)\n", bro_magic_path());
 	fprintf(stderr, "    $BRO_PREFIXES                  | prefix list (%s)\n", bro_prefixes().c_str());
 	fprintf(stderr, "    $BRO_DNS_FAKE                  | disable DNS lookups (%s)\n", bro_dns_fake());
 	fprintf(stderr, "    $BRO_SEED_FILE                 | file to load seeds from (not set)\n");
@@ -778,9 +773,6 @@ int main(int argc, char** argv)
 	curl_global_init(CURL_GLOBAL_ALL);
 #endif
 
-	bro_init_magic(&magic_desc_cookie, MAGIC_NONE);
-	bro_init_magic(&magic_mime_cookie, MAGIC_MIME);
-
 	int r = sqlite3_initialize();
 
 	if ( r != SQLITE_OK )
diff --git a/src/rule-parse.y b/src/rule-parse.y
index 47346eb7b9..b0e00d10ed 100644
--- a/src/rule-parse.y
+++ b/src/rule-parse.y
@@ -34,6 +34,7 @@ static uint8_t mask_to_len(uint32_t mask)
 %token TOK_ENABLE
 %token TOK_EVAL
 %token TOK_EVENT
+%token TOK_MIME
 %token TOK_HEADER
 %token TOK_IDENT
 %token TOK_INT
@@ -61,9 +62,9 @@ static uint8_t mask_to_len(uint32_t mask)
 
 %type <str> TOK_STRING TOK_IDENT TOK_POLICY_SYMBOL TOK_PATTERN pattern string
 %type <val> TOK_INT TOK_TCP_STATE_SYM TOK_IP_OPTION_SYM TOK_COMP
-%type <val> integer ipoption_list tcpstate_list
+%type <val> integer ipoption_list tcpstate_list opt_strength
 %type <rule> rule
-%type <bl> TOK_BOOL
+%type <bl> TOK_BOOL opt_negate
 %type <hdr_test> hdr_expr
 %type <range> range rangeopt
 %type <vallist> value_list
@@ -186,6 +187,9 @@ rule_attr:
 	|	TOK_EVENT string
 			{ current_rule->AddAction(new RuleActionEvent($2)); }
 
+	|	TOK_MIME string opt_strength
+			{ current_rule->AddAction(new RuleActionMIME($2, $3)); }
+
 	|	TOK_ENABLE TOK_STRING
 			{ current_rule->AddAction(new RuleActionEnable($2)); }
 
@@ -359,6 +363,20 @@ integer:
 			{ $$ = id_to_uint($1); }
 	;
 
+opt_negate:
+		'-'
+			{ $$ = true; }
+	|
+			{ $$ = false; }
+	;
+
+opt_strength:
+		',' opt_negate TOK_INT
+			{ $$ = $2 ? -$3 : $3; }
+	|
+			{ $$ = 0; }
+	;
+
 string:
 		TOK_STRING
 			{ $$ = $1; }
diff --git a/src/rule-scan.l b/src/rule-scan.l
index 9c755d04e3..f280d6132b 100644
--- a/src/rule-scan.l
+++ b/src/rule-scan.l
@@ -21,11 +21,13 @@ D	[0-9]+
 H	[0-9a-fA-F]+
 HEX {H}
 STRING	\"([^\n\"]|\\\")*\"
-ID	([0-9a-zA-Z_-]+::)*[0-9a-zA-Z_-]+
+IDCOMPONENT [0-9a-zA-Z_][0-9a-zA-Z_-]*
+ID	{IDCOMPONENT}(::{IDCOMPONENT})*
 IP6	("["({HEX}:){7}{HEX}"]")|("["0x{HEX}({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*"]")|("["({HEX}|:)*"::"({HEX}|:)*({D}"."){3}{D}"]")
 RE	\/(\\\/)?([^/]|[^\\]\\\/)*\/
 META	\.[^ \t]+{WS}[^\n]+
-PID	([0-9a-zA-Z_-]|"::")+
+PIDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
+PID  {PIDCOMPONENT}(::{PIDCOMPONENT})*
 
 %option nounput nodefault
 
@@ -50,7 +52,7 @@ PID	([0-9a-zA-Z_-]|"::")+
 	return TOK_IP6;
 	}
 
-[!\]\[{}&:,]	return rules_text[0];
+[!\]\[{}&:,-]	return rules_text[0];
 
 "<="	{ rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
 ">="	{ rules_lval.val = RuleHdrTest::GE; return TOK_COMP; }
@@ -116,6 +118,7 @@ dst-port	return TOK_DST_PORT;
 enable		return TOK_ENABLE;
 eval		return TOK_EVAL;
 event		return TOK_EVENT;
+file-mime	return TOK_MIME;
 header		return TOK_HEADER;
 ip-options	return TOK_IP_OPTIONS;
 ip-proto	return TOK_IP_PROTO;
@@ -129,6 +132,7 @@ src-port	return TOK_SRC_PORT;
 tcp-state	return TOK_TCP_STATE;
 active		return TOK_ACTIVE;
 
+file-magic { rules_lval.val = Rule::FILE_MAGIC; return TOK_PATTERN_TYPE; }
 payload	{ rules_lval.val = Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
 http-request	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
 http-request-body	{ rules_lval.val = Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
diff --git a/src/util-config.h.in b/src/util-config.h.in
index 385c789b97..5fc49b0140 100644
--- a/src/util-config.h.in
+++ b/src/util-config.h.in
@@ -1,2 +1 @@
 #define BRO_SCRIPT_INSTALL_PATH "@BRO_SCRIPT_INSTALL_PATH@"
-#define BRO_MAGIC_INSTALL_PATH "@BRO_MAGIC_INSTALL_PATH@"
diff --git a/src/util.cc b/src/util.cc
index 5a0b55a34a..434783a340 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -911,16 +911,6 @@ const char* bro_path()
 	return path;
 	}
 
-const char* bro_magic_path()
-	{
-	const char* path = getenv("BROMAGIC");
-
-	if ( ! path )
-		path = BRO_MAGIC_INSTALL_PATH;
-
-	return path;
-	}
-
 string bro_prefixes()
 	{
 	string rval;
@@ -1649,45 +1639,6 @@ void operator delete[](void* v)
 
 #endif
 
-void bro_init_magic(magic_t* cookie_ptr, int flags)
-	{
-	if ( ! cookie_ptr || *cookie_ptr )
-		return;
-
-	*cookie_ptr = magic_open(flags);
-
-	// Always use Bro's custom magic database.
-	const char* database = bro_magic_path();
-
-	if ( ! *cookie_ptr )
-		{
-		const char* err = magic_error(*cookie_ptr);
-		reporter->InternalError("can't init libmagic: %s",
-		                        err ? err : "unknown");
-		}
-
-	else if ( magic_load(*cookie_ptr, database) < 0 )
-		{
-		const char* err = magic_error(*cookie_ptr);
-		reporter->InternalError("can't load magic file %s: %s", database,
-		                        err ? err : "unknown");
-		magic_close(*cookie_ptr);
-		*cookie_ptr = 0;
-		}
-	}
-
-const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length)
-	{
-	const char* rval = magic_buffer(cookie, buffer, length);
-	if ( ! rval )
-		{
-		const char* err = magic_error(cookie);
-		reporter->Error("magic_buffer error: %s", err ? err : "unknown");
-		}
-
-	return rval;
-	}
-
 const char* canonify_name(const char* name)
 	{
 	unsigned int len = strlen(name);
diff --git a/src/util.h b/src/util.h
index 16a5181dbc..aebc8bbc43 100644
--- a/src/util.h
+++ b/src/util.h
@@ -22,7 +22,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
-#include <magic.h>
 #include <libgen.h>
 #include "config.h"
 
@@ -483,12 +482,6 @@ struct CompareString
 		}
 	};
 
-extern magic_t magic_desc_cookie;
-extern magic_t magic_mime_cookie;
-
-void bro_init_magic(magic_t* cookie_ptr, int flags);
-const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length);
-
 /**
  * Canonicalizes a name by converting it to uppercase letters and replacing
  * all non-alphanumeric characters with an underscore.
diff --git a/testing/btest/Baseline/bifs.identify_data/out b/testing/btest/Baseline/bifs.identify_data/out
index 9645f524b3..f7b47a74c7 100644
--- a/testing/btest/Baseline/bifs.identify_data/out
+++ b/testing/btest/Baseline/bifs.identify_data/out
@@ -1,4 +1,2 @@
-ASCII text, with no line terminators
 text/plain
-PNG image data
 image/png
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 0218611d1c..a3b8743a13 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-11
+#open	2014-03-03-20-45-31
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -94,6 +94,7 @@ scripts/base/init-bare.bro
       build/scripts/base/bif/file_analysis.bif.bro
       scripts/base/utils/site.bro
         scripts/base/utils/patterns.bro
+    scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
@@ -101,4 +102,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-10-30-16-52-11
+#close	2014-03-03-20-45-31
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 76b3f3a596..247cf0b62a 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-01-31-22-54-38
+#open	2014-03-03-20-45-54
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -94,6 +94,7 @@ scripts/base/init-bare.bro
       build/scripts/base/bif/file_analysis.bif.bro
       scripts/base/utils/site.bro
         scripts/base/utils/patterns.bro
+    scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/bloom-filter.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
@@ -222,4 +223,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-01-31-22-54-38
+#close	2014-03-03-20-45-54
diff --git a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1
index 312663e74e..5c7da193c6 100644
--- a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1
+++ b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1
@@ -6,9 +6,9 @@
 
       # bro -r http/bro.org.pcap file_extraction.bro
       Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html
+      Extracting file HTTP-FMG4bMmVV64eOsCb.txt
       Extracting file HTTP-FnaT2a3UDd093opCB9.txt
       Extracting file HTTP-FsvATF146kf1Emc21j.txt
       Extracting file HTTP-FkMQHg2nBr44fc5h63.txt
-      Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt
       [...]
 
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index 8396de608d..02cebb72d0 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -16,16 +16,16 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-01-21-21-35-28
+      #open	2014-03-03-22-45-14
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
       1389719059.311698	300.000000	text/html	1	4	53070
       1389719059.311698	300.000000	image/jpeg	1	1	186859
-      1389719059.311698	300.000000	text/troff	1	1	2957
+      1389719059.311698	300.000000	text/troff	1	1	3180
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	text/plain	1	12	114205
+      1389719059.311698	300.000000	text/plain	1	12	113982
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-01-21-21-35-28
+      #close	2014-03-03-22-45-14
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out
index eba43b94a4..ef818618b3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.ftp/out
@@ -3,7 +3,7 @@ file #0, 0, 0
 FILE_BOF_BUFFER
 The Nationa
 MIME_TYPE
-text/x-pascal
+text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #0, 16557, 0
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
index d85a9de314..e182c6d30b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
@@ -1,7 +1,7 @@
 FILE_NEW
 file #0, 0, 0
 MIME_TYPE
-application/octet-stream
+text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
diff --git a/testing/btest/bifs/identify_data.bro b/testing/btest/bifs/identify_data.bro
index d49a144b1e..048c409553 100644
--- a/testing/btest/bifs/identify_data.bro
+++ b/testing/btest/bifs/identify_data.bro
@@ -6,11 +6,9 @@ event bro_init()
 	{
 	# plain text
 	local a = "This is a test";
-	print identify_data(a, F);
 	print identify_data(a, T);
 
 	# PNG image
 	local b = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00";
-	print identify_data(b, F);
 	print identify_data(b, T);
 	}

From 4fd1098949183a4c0e0f4aa7aa724220a1929d19 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 4 Mar 2014 13:14:32 -0600
Subject: [PATCH 075/220] Misc. documentation fixes.

Silences some warnings from Sphinx.
---
 doc/broids/index.rst     | 4 ++--
 doc/index.rst            | 2 ++
 doc/quickstart/index.rst | 7 ++++---
 doc/scripting/index.rst  | 6 +++---
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/doc/broids/index.rst b/doc/broids/index.rst
index 9dabde3af8..96f50f8fa5 100644
--- a/doc/broids/index.rst
+++ b/doc/broids/index.rst
@@ -15,9 +15,9 @@ conditions specific to your particular case.
 In the following sections, we present a few examples of common uses of
 Bro as an IDS.
 
-------------------------------------------------
+-------------------------------------------------
 Detecting an FTP Brute-force Attack and Notifying
-------------------------------------------------
+-------------------------------------------------
 
 For the purpose of this exercise, we define FTP brute-forcing as too many
 rejected usernames and passwords occurring from a single address.  We
diff --git a/doc/index.rst b/doc/index.rst
index 3da35e7b7a..a66353c9ea 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -17,6 +17,8 @@ Introduction Section
 
 .. 
 
+.. _using-bro:
+
 Using Bro Section
 =================
 
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index 85fdb88d7f..e322d05f71 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -292,9 +292,10 @@ tweak the most basic options.  Here's some suggestions on what to explore next:
 
 * We only looked at how to change options declared in the notice framework,
   there's many more options to look at in other script packages.
-* Continue reading with :ref:`using-bro` chapter which goes into more
-  depth on working with Bro; then look at :ref:`writing-scripts` for
-  learning how to start writing your own scripts.
+* Continue reading with :ref:`Using Bro <using-bro>` chapter which goes
+  into more depth on working with Bro; then look at
+  :ref:`writing-scripts` for learning how to start writing your own
+  scripts.
 * Look at the scripts in ``$PREFIX/share/bro/policy`` for further ones
   you may want to load; you can browse their documentation at the
   :ref:`overview of script packages <script-packages>`.
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 66ebce86af..b12330ceb4 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -345,13 +345,13 @@ keyword.  Unlike globals, constants can only be set or altered at
 parse time if the ``&redef`` attribute has been used.  Afterwards (in
 runtime) the constants are unalterable.  In most cases, re-definable
 constants are used in Bro scripts as containers for configuration
-options.  For example, the configuration option to log password
+options.  For example, the configuration option to log passwords
 decrypted from HTTP streams is stored in
-``HTTP::default_capture_password`` as shown in the stripped down
+:bro:see:`HTTP::default_capture_password` as shown in the stripped down
 excerpt from :doc:`/scripts/base/protocols/http/main.bro` below.
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/http/main.bro
-   :lines: 8-10,19-21,120
+   :lines: 9-11,20-22,121
 
 Because the constant was declared with the ``&redef`` attribute, if we
 needed to turn this option on globally, we could do so by adding the

From ea1616bed5da03690bf15a8c9f46d0e23122aea9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 4 Mar 2014 13:58:58 -0800
Subject: [PATCH 076/220] At the moment, SSL connections where the
 ssl_established event does not fire are not logged.

That means that, for example, connections that are terminated with an alert during the
handshake never appear in the ssl.log.

This patch changes this behavior - now all ssl connections that fire any event are logged.

The protocol confirmation of the ssl analyzer is moved to the client_hello instead to
the server hello. Furthermore, an additional field is added to ssl.log, which indicates
if a connection has been established or not (which probably indicates a handshake problem).
---
 scripts/base/protocols/ssl/main.bro           |  27 ++++++++++++++++--
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |   4 +--
 .../ssl.log                                   |  10 +++++++
 .../Traces/tls-1.2-handshake-failure.trace    | Bin 0 -> 1131 bytes
 .../ssl/tls-1.2-handshake-failure.test        |   2 ++
 5 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
 create mode 100644 testing/btest/Traces/tls-1.2-handshake-failure.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 3958a90fa2..b8a5fdd275 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -58,6 +58,14 @@ export {
 		## to each connection.  It is not used for logging since it's a
 		## meaningless arbitrary number.
 		analyzer_id:      count            &optional;
+
+		## Flag to indicate if this ssl session has been established
+		## succesfully, or if it was aborted during the handshake.
+		established:  bool &log &default=F;
+
+		## Flag to indicate if this record already has been logged, to
+		## prevent duplicates.
+		logged:  bool  &default=F;
 	};
 
 	## The default root CA bundle.  By default, the mozilla-ca-list.bro
@@ -127,9 +135,13 @@ function undelay_log(info: Info, token: string)
 
 function log_record(info: Info)
 	{
+	if ( info$logged )
+		return;
+
 	if ( ! info?$delay_tokens || |info$delay_tokens| == 0 )
 		{
 		Log::write(SSL::LOG, info);
+		info$logged = T;
 		}
 	else
 		{
@@ -151,6 +163,7 @@ function finish(c: connection)
 	log_record(c$ssl);
 	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
 		disable_analyzer(c$id, c$ssl$analyzer_id);
+		delete c$ssl$analyzer_id;
 	}
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
@@ -231,6 +244,7 @@ event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priori
 event ssl_established(c: connection) &priority=5
 	{
 	set_session(c);
+	c$ssl$established = T;
 	}
 
 event ssl_established(c: connection) &priority=-5
@@ -238,11 +252,20 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
 
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$ssl )
+		# called in case a SSL connection that has not been established terminates
+		finish(c);
+	}
+
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
+	if ( atype == Analyzer::ANALYZER_SSL ) 
+		{
+		set_session(c);
 		c$ssl$analyzer_id = aid;
+		}
 	}
 
 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 280f3a2d32..a877514127 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -160,6 +160,8 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
+		else
+			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_client_hello )
 			{
@@ -198,8 +200,6 @@ refine connection SSL_Conn += {
 		%{
 		if ( ! version_ok(version) )
 			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
-		else
-			bro_analyzer()->ProtocolConfirmation();
 
 		if ( ssl_server_hello )
 			{
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
new file mode 100644
index 0000000000..92d7e3a1ab
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-04-21-57-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	-	-	-	handshake_failure	-	-	F
+#close	2014-03-04-21-57-58
diff --git a/testing/btest/Traces/tls-1.2-handshake-failure.trace b/testing/btest/Traces/tls-1.2-handshake-failure.trace
new file mode 100644
index 0000000000000000000000000000000000000000..aecda8cb9b8fd56f59293fa511346ce4eae43710
GIT binary patch
literal 1131
zcmaKqPiPZC6vn@q*{pHXYLc2XreK3oO)(;-D~b^sO@y{WpeTr<2Njf7#FKbYiQqv|
z!HSKDViZBEV3DF;st{WXMG&mi9t02m!Gel87!(AJ?`^O#+0catJF_#t_wDz+$<d)3
z5*q$J#UdbR@ha%wGWf=Y6uom{>8a^+Ck8_MI-Yksu?dJzZjU3b??0X!(E7WM<y$6v
zVmKM>InRgh%VP0l0+5>Hflx{l!fC{g{G8@*nk>=fZx^~~%~j%-dRX-J##3Omezb|n
z+(8Ua_}*owmQ#nm>)u<DGn*}XMw3qC_1IJ=)2Wlry7v%yBT>0*y3LMlto!@fD&2iV
zkEGq9X!{p(prkj?WF{W^<3fR8TsGpT<|j;SI$V<&2t_YGtR(uCz&$egj#77TKKjs-
zy}J8b>)Vgv(CsysFReK6BRKMT?T!oMUv~|z1iU$SPS5#ruAD#&lENuUx_b~VXbM8Y
zfQcyPp&koquMPpsr9D3y;e?JkSO6d8>wp&xbXh`SKHTtN3H?evLRh2=UFymq9MVBa
zX;M>4D5;bbQc6B81bcABTQ}pXEicm;vGQ76l~*Jg>`kQIGPCn#$pdmUMOo#Uc#Vji
zq=L&vj2WXAF<6rrkeT4)N}^9GNEv2uc6O=HEO4j_+-6Djkks)?FcXXa5p4rto=))q
z4E0wIKyQLZs*Of!ReS5q02J5&CN?yb?X(luy<nnftU)v_V%Sc6KPz!Vnu)*m)+BmJ
h<1#z3CtTKO3&=FaEFYVzd^E|&q!oENpsf^n;V%$oN+JLN

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
new file mode 100644
index 0000000000..9cceca70b1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log

From 5b4a1b276259780a9e458502c9da980de8bb93b1 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 4 Mar 2014 14:31:41 -0800
Subject: [PATCH 077/220] update test baselines

---
 .../ssl.log                                   | 12 ++--
 .../scripts.base.protocols.ssl.basic/ssl.log  | 10 +--
 .../ssl.log                                   | 10 +--
 .../all-events-no-args.log                    |  6 +-
 .../all-events.log                            | 66 +++++++++----------
 .../ssl-events.log                            | 18 ++---
 6 files changed, 61 insertions(+), 61 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 20296a715e..32df4c69f2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2013-08-26-19-47-01
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string
-1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2013-08-26-19-47-01
+#open	2014-03-04-22-24-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	T
+1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	T
+#close	2014-03-04-22-24-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
index a0dad9ea67..172cd19afa 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2013-08-26-19-04-21
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string
-1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	-	-	-
-#close	2013-08-26-19-04-21
+#open	2014-03-04-22-02-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	-	-	-	T
+#close	2014-03-04-22-02-50
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
index dc9a9ff752..ed1ff6a70b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2013-08-26-19-04-22
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string
-1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	-	-	-
-#close	2013-08-26-19-04-22
+#open	2014-03-04-22-03-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
+1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	-	-	-	T
+#close	2014-03-04-22-03-00
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 2083e3b02c..daa0f9f43f 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -4,24 +4,24 @@
 1170717505.366729 filter_change_tracking
 1170717505.366729 new_connection
 1170717505.548308 connection_established
+1170717505.549109 protocol_confirmation
 1170717505.549109 ssl_client_hello
-1170717505.734145 protocol_confirmation
 1170717505.734145 ssl_server_hello
 1170717505.735416 x509_certificate
 1170717505.735416 x509_certificate
 1170717505.934612 ssl_established
 1170717508.515696 new_connection
 1170717508.696747 connection_established
+1170717508.697180 protocol_confirmation
 1170717508.697180 ssl_client_hello
-1170717508.881857 protocol_confirmation
 1170717508.881857 ssl_server_hello
 1170717508.883051 x509_certificate
 1170717508.883051 x509_certificate
 1170717509.082241 ssl_established
 1170717511.541455 new_connection
 1170717511.722589 connection_established
+1170717511.722913 protocol_confirmation
 1170717511.722913 ssl_client_hello
-1170717511.908619 protocol_confirmation
 1170717511.908619 ssl_server_hello
 1170717511.909717 x509_certificate
 1170717511.909717 x509_certificate
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 8e9e980fbf..59c9d6d026 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -8,21 +8,21 @@
 1170717505.548308 connection_established
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717505.366729, duration=0.181579, service={^J^J}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717505.549109 ssl_client_hello
+1170717505.549109 protocol_confirmation
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+                  [2] aid: count         = 3
+
+1170717505.549109 ssl_client_hello
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 2
                   [2] possible_ts: time  = 0.0
                   [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
                   [4] session_id: string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
-1170717505.734145 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
-                  [2] aid: count         = 3
-
 1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717513.0
                   [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
@@ -31,7 +31,7 @@
                   [6] comp_method: count = 0
 
 1170717505.735416 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
                   [3] chain_idx: count   = 0
@@ -39,7 +39,7 @@
                   [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
 
 1170717505.735416 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
                   [3] chain_idx: count   = 1
@@ -47,7 +47,7 @@
                   [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
 
 1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717508.515696 new_connection
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717508.515696, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -55,21 +55,21 @@
 1170717508.696747 connection_established
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717508.515696, duration=0.181051, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717508.697180 ssl_client_hello
+1170717508.697180 protocol_confirmation
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+                  [2] aid: count         = 7
+
+1170717508.697180 ssl_client_hello
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486404.0
                   [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
                   [4] session_id: string = \xa8\xc1\xc5h^Y$\xe8^J2\xa1]^^? \xbc^?Q>V\xb2^U^C\x9d^MU\xde\xfd\xa5\xa3 \xc0
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
-1170717508.881857 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
-                  [2] aid: count         = 7
-
 1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717516.0
                   [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
@@ -78,7 +78,7 @@
                   [6] comp_method: count = 0
 
 1170717508.883051 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
                   [3] chain_idx: count   = 0
@@ -86,7 +86,7 @@
                   [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
 
 1170717508.883051 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
                   [3] chain_idx: count   = 1
@@ -94,7 +94,7 @@
                   [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
 
 1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717511.541455 new_connection
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717511.541455, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -102,21 +102,21 @@
 1170717511.722589 connection_established
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717511.541455, duration=0.181134, service={^J^J}, addl=, hot=0, history=Sh, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717511.722913 ssl_client_hello
+1170717511.722913 protocol_confirmation
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+                  [2] aid: count         = 11
+
+1170717511.722913 ssl_client_hello
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486407.0
                   [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
                   [4] session_id: string = \x9eQ\xca\xef@\xad\x85\xf9\xf0=\xbb\x8c\x1f\xdc\x866!\x80\x8c1^Rr\xe1^BB\xcb@k\xf9^W\xbc\xd9
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
-1170717511.908619 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
-                  [2] aid: count         = 11
-
 1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717519.0
                   [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
@@ -125,7 +125,7 @@
                   [6] comp_method: count = 0
 
 1170717511.909717 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
                   [3] chain_idx: count   = 0
@@ -133,7 +133,7 @@
                   [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
 
 1170717511.909717 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
                   [3] chain_idx: count   = 1
@@ -141,21 +141,21 @@
                   [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
 
 1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717528.851698 ChecksumOffloading::check
 1170717528.851698 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=6012, state=5, num_pkts=61, num_bytes_ip=9160, flow_label=0], resp=[size=121583, state=5, num_pkts=101, num_bytes_ip=126847, flow_label=0], start_time=1170717508.515696, duration=3.001729, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFRfR, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=6012, state=5, num_pkts=61, num_bytes_ip=9160, flow_label=0], resp=[size=121583, state=5, num_pkts=101, num_bytes_ip=126847, flow_label=0], start_time=1170717508.515696, duration=3.001729, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFRfR, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 net_done
                   [0] t: time            = 1170717531.882302
 
 1170717531.882302 filter_change_tracking
 1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=4879, state=5, num_pkts=32, num_bytes_ip=6555, flow_label=0], resp=[size=32965, state=6, num_pkts=36, num_bytes_ip=34813, flow_label=0], start_time=1170717505.366729, duration=23.667015, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFr, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=4879, state=5, num_pkts=32, num_bytes_ip=6555, flow_label=0], resp=[size=32965, state=6, num_pkts=36, num_bytes_ip=34813, flow_label=0], start_time=1170717505.366729, duration=23.667015, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFr, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=842, state=5, num_pkts=11, num_bytes_ip=1414, flow_label=0], resp=[size=3613, state=5, num_pkts=11, num_bytes_ip=4197, flow_label=0], start_time=1170717511.541455, duration=20.340781, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFfR, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=842, state=5, num_pkts=11, num_bytes_ip=1414, flow_label=0], resp=[size=3613, state=5, num_pkts=11, num_bytes_ip=4197, flow_label=0], start_time=1170717511.541455, duration=20.340781, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFfR, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 bro_done
 1170717531.882302 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
index 1fd4bc81d6..b37425ac1c 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
@@ -1,5 +1,5 @@
 1170717505.549109 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 2
                   [2] possible_ts: time  = 0.0
                   [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
@@ -7,7 +7,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717513.0
                   [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
@@ -16,10 +16,10 @@
                   [6] comp_method: count = 0
 
 1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717508.697180 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486404.0
                   [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
@@ -27,7 +27,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717516.0
                   [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
@@ -36,10 +36,10 @@
                   [6] comp_method: count = 0
 
 1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717511.722913 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486407.0
                   [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
@@ -47,7 +47,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717519.0
                   [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
@@ -56,5 +56,5 @@
                   [6] comp_method: count = 0
 
 1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 

From f140abc62943aca48f1b5c498f1f0a2b70287c70 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 4 Mar 2014 15:09:19 -0800
Subject: [PATCH 078/220] only call disable_analyzer if the connection is still
 open.

---
 scripts/base/protocols/ssl/main.bro | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index b8a5fdd275..c80e74665e 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -158,10 +158,12 @@ function log_record(info: Info)
 		}
 	}
 
-function finish(c: connection)
+# remove_analyzer flag is used to prevent disabling analyzer for finished
+# connections.
+function finish(c: connection, remove_analyzer: bool)
 	{
 	log_record(c$ssl);
-	if ( disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
+	if ( remove_analyzer && disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
 		disable_analyzer(c$id, c$ssl$analyzer_id);
 		delete c$ssl$analyzer_id;
 	}
@@ -249,14 +251,14 @@ event ssl_established(c: connection) &priority=5
 
 event ssl_established(c: connection) &priority=-5
 	{
-	finish(c);
+	finish(c, T);
 	}
 
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
 		# called in case a SSL connection that has not been established terminates
-		finish(c);
+		finish(c, F);
 	}
 
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
@@ -272,5 +274,5 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=5
 	{
 	if ( c?$ssl )
-		finish(c);
+		finish(c, T);
 	}

From 0865b152bb545a49d17d6a4c96401d57314262c9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 5 Mar 2014 10:49:57 -0600
Subject: [PATCH 079/220] Refactor common MIME magic matching code.

Put some methods in file_analysis::Manager that can perform the
matching process and return MIME type results.  Also helps to
centralize the management/re-use of a signature matcher object.
---
 src/bro.bif                  | 13 ++++---------
 src/file_analysis/File.cc    | 10 +++-------
 src/file_analysis/Manager.cc | 32 +++++++++++++++++++++++++++++++-
 src/file_analysis/Manager.h  | 31 +++++++++++++++++++++++++++++++
 src/main.cc                  |  2 ++
 5 files changed, 71 insertions(+), 17 deletions(-)

diff --git a/src/bro.bif b/src/bro.bif
index aea6377d91..e0bab31542 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -852,15 +852,12 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 	if ( ! return_mime )
 		reporter->Warning("identify_data() builtin-function only returns MIME types, but verbose file info requested");
 
-	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
-	rule_matcher->ClearFileMagicState(fms);
-	RuleMatcher::MIME_Matches matches;
-	rule_matcher->Match(fms, data->Bytes(), data->Len(), &matches);
+	string strongest_match = file_mgr->DetectMIME(data->Bytes(), data->Len());
 
-	if ( matches.empty() )
+	if ( strongest_match.empty() )
 		return new StringVal("<unknown>");
 
-	return new StringVal(*(matches.begin()->second.begin()));
+	return new StringVal(strongest_match);
 	%}
 
 ## Determines the MIME type of a piece of data using Bro's file magic
@@ -873,10 +870,8 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 ## .. bro:see:: identify_data
 function file_magic%(data: string%): mime_matches
 	%{
-	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
-	rule_matcher->ClearFileMagicState(fms);
 	RuleMatcher::MIME_Matches matches;
-	rule_matcher->Match(fms, data->Bytes(), data->Len(), &matches);
+	file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
 	VectorVal* rval = new VectorVal(mime_matches);
 
 	for ( RuleMatcher::MIME_Matches::const_iterator it = matches.begin();
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index d7cb6e09c7..ad6e46bf79 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -280,16 +280,12 @@ bool File::BufferBOF(const u_char* data, uint64 len)
 
 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
-	static RuleFileMagicState* fms = rule_matcher->InitFileMagic();
-	rule_matcher->ClearFileMagicState(fms);
-	RuleMatcher::MIME_Matches matches;
-	rule_matcher->Match(fms, data, len, &matches);
+	string strongest_match = file_mgr->DetectMIME(data, len);
 
-	if ( matches.empty() )
+	if ( strongest_match.empty() )
 		return false;
 
-	val->Assign(mime_type_idx, new StringVal(*matches.begin()->second.begin()));
-
+	val->Assign(mime_type_idx, new StringVal(strongest_match));
 	return true;
 	}
 
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index a6878e7c5d..a674bd6665 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -20,13 +20,15 @@ string Manager::salt;
 
 Manager::Manager()
 	: plugin::ComponentManager<file_analysis::Tag,
-	                           file_analysis::Component>("Files")
+	                           file_analysis::Component>("Files"),
+	id_map(), ignored(), current_file_id(), magic_state()
 	{
 	}
 
 Manager::~Manager()
 	{
 	Terminate();
+	delete magic_state;
 	}
 
 void Manager::InitPreScript()
@@ -42,6 +44,12 @@ void Manager::InitPostScript()
 	{
 	}
 
+void Manager::InitMagic()
+	{
+	delete magic_state;
+	magic_state = rule_matcher->InitFileMagic();
+	}
+
 void Manager::Terminate()
 	{
 	vector<string> keys;
@@ -395,3 +403,25 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const
 
 	return c->Factory()(args, f);
 	}
+
+RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64 len,
+        RuleMatcher::MIME_Matches* rval) const
+	{
+	if ( ! magic_state )
+		reporter->InternalError("file magic signature state not initialized");
+
+	rval = rule_matcher->Match(magic_state, data, len, rval);
+	rule_matcher->ClearFileMagicState(magic_state);
+	return rval;
+	}
+
+string Manager::DetectMIME(const u_char* data, uint64 len) const
+	{
+	RuleMatcher::MIME_Matches matches;
+	DetectMIME(data, len, &matches);
+
+	if ( matches.empty() )
+		return "";
+
+	return *(matches.begin()->second.begin());
+	}
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 649f82c164..7c46a0eeb7 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -14,6 +14,7 @@
 #include "Analyzer.h"
 #include "Timer.h"
 #include "EventHandler.h"
+#include "RuleMatcher.h"
 
 #include "File.h"
 #include "FileTimer.h"
@@ -54,6 +55,12 @@ public:
 	 */
 	void InitPostScript();
 
+	/**
+	 * Initializes the state required to match against file magic signatures
+	 * for MIME type identification.
+	 */
+	void InitMagic();
+
 	/**
 	 * Times out any active file analysis to prepare for shutdown.
 	 */
@@ -255,6 +262,29 @@ public:
 	 */
 	Analyzer* InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const;
 
+	/**
+	 * Returns a set of all matching MIME magic signatures for a given
+	 * chunk of data.
+	 * @param data A chunk of bytes to match magic MIME signatures against.
+	 * @param len The number of bytes in \a data.
+	 * @param rval An optional pre-existing structure in which to insert
+	 *             new matches.  If it's a null pointer, an object is
+	 *             allocated and returned from the method.
+	 * @return Set of all matching file magic signatures, which may be
+	 *         an object allocated by the method if \a rval is a null pointer.
+	 */
+	RuleMatcher::MIME_Matches* DetectMIME(const u_char* data, uint64 len,
+	        RuleMatcher::MIME_Matches* rval) const;
+
+	/**
+	 * Returns the strongest MIME magic signature match for a given data chunk.
+	 * @param data A chunk of bytes to match magic MIME signatures against.
+	 * @param len The number of bytes in \a data.
+	 * @returns The MIME type string of the strongest file magic signature
+	 *          match, or an empty string if nothing matched.
+	 */
+	std::string DetectMIME(const u_char* data, uint64 len) const;
+
 protected:
 	friend class FileTimer;
 
@@ -334,6 +364,7 @@ private:
 	IDMap id_map;	/**< Map file ID to file_analysis::File records. */
 	IDSet ignored;	/**< Ignored files.  Will be finally removed on EOF. */
 	string current_file_id;	/**< Hash of what get_file_handle event sets. */
+	RuleFileMagicState* magic_state; /** File magic signature match state. */
 
 	static TableVal* disabled;	/**< Table of disabled analyzers. */
 	static string salt; /**< A salt added to file handles before hashing. */
diff --git a/src/main.cc b/src/main.cc
index a701e5abe1..5e59a54ebd 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -933,6 +933,8 @@ int main(int argc, char** argv)
 
 		if ( rule_debug )
 			rule_matcher->PrintDebug();
+
+		file_mgr->InitMagic();
 		}
 
 	delete [] script_rule_files;

From 9743959995b476ff4443b8ddf12e42060ed0a8bb Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 5 Mar 2014 16:11:06 -0500
Subject: [PATCH 080/220] Fix DNS SRV responses and a small issue with NBNS
 queries and label length.

 - DNS SRV responses never had the code written to actually
   generate the dns_SRV_reply event.  Adding this required
   extending the event a bit to add extra information.  SRV responses
   now appear in the dns.log file correctly.

 - Fixed an issue where some Microsoft NetBIOS Name Service lookups
   would exceed the max label length for DNS and cause an incorrect
   "DNS_label_too_long" weird.
---
 scripts/base/protocols/dns/main.bro  |  4 ++--
 src/analyzer/protocol/dns/DNS.cc     | 25 +++++++++++++++++++------
 src/analyzer/protocol/dns/events.bif |  8 +++++++-
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 294220d1f2..8f83fbc677 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -421,9 +421,9 @@ event dns_WKS_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
 	hook DNS::do_reply(c, msg, ans, "");
 	}
 
-event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer) &priority=5
+event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count) &priority=5
 	{
-	hook DNS::do_reply(c, msg, ans, "");
+	hook DNS::do_reply(c, msg, ans, target);
 	}
 
 # TODO: figure out how to handle these
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index b17a90dd61..5d45f9b05c 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -208,6 +208,7 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 	int name_len = sizeof(name) - 1;
 
 	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+
 	if ( ! name_end )
 		return 0;
 
@@ -400,7 +401,10 @@ int DNS_Interpreter::ExtractLabel(const u_char*& data, int& len,
 		return 0;
 		}
 
-	if ( label_len > 63 )
+	if ( label_len > 63 && 
+	     // NetBIOS name service look ups can use 
+	     // longer labels
+	     ntohs(analyzer->Conn()->RespPort()) != 137 )
 		{
 		analyzer->Weird("DNS_label_too_long");
 		return 0;
@@ -633,15 +637,24 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
 	if ( ! name_end )
 		return 0;
-	*name_end = 0;	// terminate name so we can use it in snprintf()
 
 	if ( data - data_start != rdlength )
 		analyzer->Weird("DNS_RR_length_mismatch");
 
-	// The following is just a placeholder.
-	char buf[2048];
-	safe_snprintf(buf, sizeof(buf), "SRV %s priority=%d weight=%d port=%d",
-		      name, priority, weight, port);
+	if ( dns_SRV_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+		vl->append(new Val(priority, TYPE_COUNT));
+		vl->append(new Val(weight, TYPE_COUNT));
+		vl->append(new Val(port, TYPE_COUNT));
+
+		analyzer->ConnectionEvent(dns_SRV_reply, vl);
+		}
+
 	return 1;
 	}
 
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index b43ac95f66..520e32fe6d 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -392,6 +392,12 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%)
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
+## priority: Priority of the SRV response.
+##
+## weight: Weight of the SRV response.
+##
+## p: Port of the SRV response.
+##
 ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
 ##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
@@ -399,7 +405,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%)
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
 ## that Bro knows how to parse and generate another more specific specific

From bcdffe3212e717c6102f79b2306fb5e805598962 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 6 Mar 2014 09:06:23 -0500
Subject: [PATCH 081/220] No longer accidentally attempting to parse NBSTAT RRs
 as SRV RRs.

The NetBios name service RFC (1002) specified NBSTAT (NetBios Status)
resource records to have identifier 0x0021.  The DNS SRV RFC specified
SRV records to have identifier 33.  Unfortunately those are the
same number. :)

We now check the resp port to handle this situation better so that
we won't be attempting to parse NBSTAT records as SRV (which
causes several weird messages).
---
 scripts/base/protocols/dns/main.bro |  8 ++++++++
 src/analyzer/protocol/dns/DNS.cc    | 13 ++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 8f83fbc677..348c361311 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -360,7 +360,15 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
 	# Note: I'm ignoring the name type for now.  Not sure if this should be
 	#       worked into the query/response in some fashion.
 	if ( c$id$resp_p == 137/udp )
+		{
 		query = decode_netbios_name(query);
+		if ( c$dns$qtype_name == "SRV" )
+			{
+			# The SRV RFC used the ID used for NetBios Status RRs.
+			# So if this is NetBios Name Service we name it correctly.
+			c$dns$qtype_name = "NBSTAT";
+			}
+		}
 	c$dns$query = query;
 	}
 
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 5d45f9b05c..c5cf47b858 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -276,7 +276,18 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			break;
 
 		case TYPE_SRV:
-			status = ParseRR_SRV(msg, data, len, rdlength, msg_start);
+			if ( ntohs(analyzer->Conn()->RespPort()) == 137 )
+				{
+				// This is an NBSTAT (NetBIOS NODE STATUS) record.
+				// The SRV RFC reused the value that was already being
+				// used for this.
+				// We aren't parsing this yet.
+				status = 1;
+				}
+			else
+				{
+				status = ParseRR_SRV(msg, data, len, rdlength, msg_start);
+				}
 			break;
 
 		case TYPE_EDNS:

From 095a68b2ec0ea97bd7da20888effdda0069f3cfc Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 6 Mar 2014 11:41:10 -0600
Subject: [PATCH 082/220] Various minor changes related to file mime type
 detection.

- Improve or just remove some file magic signatures ported from libmagic
  that were too general and matched incorrectly too often.

- Fix MHR script's use of fa_file$mime_type before checking if it's
  initialized.  It may be uninitialized if no signatures match.

- The "fa_file" record now contains a "mime_types" field that contains
  all magic signatures that matched the file content (where the
  "mime_type" field is just a shortcut for the strongest match).
---
 .../base/frameworks/files/magic/general.sig   |   8 +-
 .../base/frameworks/files/magic/libmagic.sig  | 226 ++++++++++--------
 scripts/base/frameworks/files/main.bro        |   9 +-
 scripts/base/init-bare.bro                    |  11 +-
 .../policy/frameworks/files/detect-MHR.bro    |   2 +-
 src/bro.bif                                   |  19 +-
 src/file_analysis/File.cc                     |  11 +-
 src/file_analysis/File.h                      |   1 +
 src/file_analysis/Manager.cc                  |  22 ++
 src/file_analysis/Manager.h                   |   7 +
 .../output                                    |   2 +-
 .../output                                    |   2 +-
 .../btest-doc.sphinx.mimestats#1              |   6 +-
 ...licy_frameworks_files_detect-MHR_bro.btest |   2 +-
 ...cy_frameworks_files_detect-MHR_bro@4.btest |   2 +-
 15 files changed, 187 insertions(+), 143 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 595bcc2f62..ce252dd218 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -6,6 +6,12 @@ signature file-plaintext {
 }
 
 signature file-binary {
-    file-magic /(.*)([^[:print:][:space:]]+)/
+    # Exclude bytes that can be ASCII or some ISO-8859 characters.
+    file-magic /(.*)([^[:print:][:space:]\xa0-\xff]+)/
     file-mime "binary", -10
 }
+
+signature file-tar {
+    file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
+    file-mime "application/x-tar", 150
+}
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
index 25f5ba8c0f..3fa8d47ab5 100644
--- a/scripts/base/frameworks/files/magic/libmagic.sig
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -569,7 +569,7 @@ signature file-magic-auto87 {
 # >>>>&0  search/1024,=\n (len=1), [""], swap_endian=0
 # >>>>>&0  search/1,=@@ (len=2), ["unified diff output text"], swap_endian=0
 signature file-magic-auto88 {
-	file-mime "text/x-diff", 40
+	file-mime "text/x-diff", 55
 	file-magic /(.*)(\x2d\x2d\x2d )(.*)(\x0a)(.*)(\x2b\x2b\x2b )(.*)(\x0a)(.*)(\x40\x40)/
 }
 
@@ -2643,7 +2643,7 @@ signature file-magic-auto388 {
 # >>&0  regex,= {0,50}\(([a-zA-Z]|,| ){1,500}\):$ (len=34), ["Python script text executable"], swap_endian=0
 signature file-magic-auto389 {
 	file-mime "text/x-python", 64
-	file-magic /(^( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/
+	file-magic /(.*)(( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/
 }
 
 # >0  search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0
@@ -2704,7 +2704,7 @@ signature file-magic-auto397 {
 # >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby script text"], swap_endian=0
 signature file-magic-auto398 {
 	file-mime "text/x-ruby", 54
-	file-magic /(^[ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/
+	file-magic /(.*)([ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/
 }
 
 # >0  search/1,=eval "exec /usr/local/bin/perl (len=30), ["Perl script text"], swap_endian=0
@@ -2760,7 +2760,7 @@ signature file-magic-auto406 {
 # >>>0  regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby module source text"], swap_endian=0
 signature file-magic-auto407 {
 	file-mime "text/x-ruby", 54
-	file-magic /(^[ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/
+	file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/
 }
 
 # >512  string/b,=\354\245\301 (len=3), ["Microsoft Word Document"], swap_endian=0
@@ -2797,7 +2797,7 @@ signature file-magic-auto412 {
 # >0  regex,=^from\s+(\w|\.)+\s+import.*$ (len=28), ["Python script text executable"], swap_endian=0
 signature file-magic-auto413 {
 	file-mime "text/x-python", 58
-	file-magic /(^from\s+(\w|\.)+\s+import.*$)/
+	file-magic /(.*)(from\s+(\w|\.)+\s+import.*$)/
 }
 
 # >0  search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0
@@ -3342,11 +3342,12 @@ signature file-magic-auto497 {
 	file-magic /(.{4})(jP)/
 }
 
+# Not specific enough.
 # >0  regex,=^template[ \t\n]+ (len=15), ["C++ source text"], swap_endian=0
-signature file-magic-auto498 {
-	file-mime "text/x-c++", 50
-	file-magic /(^template[ \x09\x0a]+)/
-}
+#signature file-magic-auto498 {
+#	file-mime "text/x-c++", 50
+#	file-magic /(.*)(template[ \x09\x0a]+)/
+#}
 
 # >0  search/c/1,=<?php (len=5), ["PHP script text"], swap_endian=0
 signature file-magic-auto499 {
@@ -3417,9 +3418,46 @@ signature file-magic-auto509 {
 # >0  regex,=^[ \t]{0,50}\.asciiz (len=19), ["assembler source text"], swap_endian=0
 signature file-magic-auto510 {
 	file-mime "text/x-asm", 49
-	file-magic /(^[ \x09]{0,50}\.asciiz)/
+	file-magic /(^[ \x09]{0,50}\.(asciiz|asciz|section|globl|align|even|byte|file|type))/
 }
 
+# >0  regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0
+#signature file-magic-auto517 {
+#	file-mime "text/x-asm", 48
+#	file-magic /(^[ \x09]{0,50}\.globl)/
+#}
+
+# >0  regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0
+#signature file-magic-auto523 {
+#	file-mime "text/x-asm", 47
+#	file-magic /(^[ \x09]{0,50}\.text)/
+#}
+
+# >0  regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0
+#signature file-magic-auto524 {
+#	file-mime "text/x-asm", 47
+#	file-magic /(^[ \x09]{0,50}\.even)/
+#}
+
+# >0  regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0
+#signature file-magic-auto525 {
+#	file-mime "text/x-asm", 47
+#	file-magic /(^[ \x09]{0,50}\.byte)/
+#}
+
+# >0  regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0
+#signature file-magic-auto526 {
+#	file-mime "text/x-asm", 47
+#	file-magic /(^[ \x09]{0,50}\.file)/
+#}
+
+# >0  regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0
+#signature file-magic-auto527 {
+#	file-mime "text/x-asm", 47
+#	file-magic /(^[ \x09]{0,50}\.type)/
+#}
+
+
 # >0  search/1,=#!/usr/bin/env perl (len=19), ["Perl script text executable"], swap_endian=0
 signature file-magic-auto511 {
 	file-mime "text/x-perl", 49
@@ -3432,11 +3470,12 @@ signature file-magic-auto512 {
 	file-magic /(.*)(\x3c\x21[dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL])/
 }
 
+# This doesn't seem specific enough.
 # >0  regex,=^virtual[ \t\n]+ (len=14), ["C++ source text"], swap_endian=0
-signature file-magic-auto513 {
-	file-mime "text/x-c++", 49
-	file-magic /(^virtual[ \x09\x0a]+)/
-}
+#signature file-magic-auto513 {
+#	file-mime "text/x-c++", 49
+#	file-magic /(.*)(virtual[ \x09\x0a]+)/
+#}
 
 # >0  search/1,=#! /usr/bin/env lua (len=19), ["Lua script text executable"], swap_endian=0
 signature file-magic-auto514 {
@@ -3455,13 +3494,6 @@ signature file-magic-auto516 {
 	file-mime "text/x-tcl", 49
 	file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv tcl)/
 }
-
-# >0  regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0
-signature file-magic-auto517 {
-	file-mime "text/x-asm", 48
-	file-magic /(^[ \x09]{0,50}\.globl)/
-}
-
 # >0  search/1,=#!/usr/bin/env tcl (len=18), ["Tcl script text executable"], swap_endian=0
 signature file-magic-auto518 {
 	file-mime "text/x-tcl", 48
@@ -3489,37 +3521,7 @@ signature file-magic-auto521 {
 # >0  regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0
 signature file-magic-auto522 {
 	file-mime "text/x-c++", 47
-	file-magic /(^class[ \x09\x0a]+)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0
-signature file-magic-auto523 {
-	file-mime "text/x-asm", 47
-	file-magic /(^[ \x09]{0,50}\.text)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0
-signature file-magic-auto524 {
-	file-mime "text/x-asm", 47
-	file-magic /(^[ \x09]{0,50}\.even)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0
-signature file-magic-auto525 {
-	file-mime "text/x-asm", 47
-	file-magic /(^[ \x09]{0,50}\.byte)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0
-signature file-magic-auto526 {
-	file-mime "text/x-asm", 47
-	file-magic /(^[ \x09]{0,50}\.file)/
-}
-
-# >0  regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0
-signature file-magic-auto527 {
-	file-mime "text/x-asm", 47
-	file-magic /(^[ \x09]{0,50}\.type)/
+	file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/
 }
 
 # >0  search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0
@@ -3717,11 +3719,12 @@ signature file-magic-auto553 {
 	file-magic /(.*)(\x5cinput texinfo)/
 }
 
+# Not specific enough.
 # >0  regex,=^private: (len=9), ["C++ source text"], swap_endian=0
-signature file-magic-auto554 {
-	file-mime "text/x-c++", 44
-	file-magic /(^private:)/
-}
+#signature file-magic-auto554 {
+#	file-mime "text/x-c++", 44
+#	file-magic /(.*)(private:)/
+#}
 
 # >0  search/4096,=def __init__ (len=12), [""], swap_endian=0
 # >>&0  search/64,=self (len=4), ["Python script text executable"], swap_endian=0
@@ -3739,7 +3742,7 @@ signature file-magic-auto556 {
 # >0  regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0
 signature file-magic-auto557 {
 	file-mime "text/x-c", 43
-	file-magic /(^extern[ \x09\x0a]+)/
+	file-magic /(.*)(extern[ \x09\x0a]+)/
 }
 
 # >0  search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0
@@ -3748,16 +3751,17 @@ signature file-magic-auto558 {
 	file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/
 }
 
+# Doesn't seem specific enough.
 # >0  regex,=^double[ \t\n]+ (len=13), ["C source text"], swap_endian=0
-signature file-magic-auto559 {
-	file-mime "text/x-c", 43
-	file-magic /(^double[ \x09\x0a]+)/
-}
+#signature file-magic-auto559 {
+#	file-mime "text/x-c", 43
+#	file-magic /(^double[ \x09\x0a]+)/
+#}
 
 # >0  regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0
 signature file-magic-auto560 {
 	file-mime "text/x-c", 43
-	file-magic /(^struct[ \x09\x0a]+)/
+	file-magic /(.*)(struct[ \x09\x0a]+)/
 }
 
 # >0  search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0
@@ -3766,11 +3770,12 @@ signature file-magic-auto561 {
 	file-magic /(.*)(\x23\x21\x2fbin\x2fnodejs)/
 }
 
+# Not specific enough.
 # >0  regex,=^public: (len=8), ["C++ source text"], swap_endian=0
-signature file-magic-auto562 {
-	file-mime "text/x-c++", 43
-	file-magic /(^public:)/
-}
+#signature file-magic-auto562 {
+#	file-mime "text/x-c++", 43
+#	file-magic /(.*)(public:)/
+#}
 
 # >0  search/wct/4096,=<script (len=7), ["HTML document text"], swap_endian=0
 signature file-magic-auto563 {
@@ -3778,17 +3783,19 @@ signature file-magic-auto563 {
 	file-magic /(.*)(\x3c[sS][cC][rR][iI][pP][tT])/
 }
 
+# Doesn't seem specific enough.
 # >0  regex,=^float[ \t\n]+ (len=12), ["C source text"], swap_endian=0
-signature file-magic-auto564 {
-	file-mime "text/x-c", 42
-	file-magic /(^float[ \x09\x0a]+)/
-}
+#signature file-magic-auto564 {
+#	file-mime "text/x-c", 42
+#	file-magic /(^float[ \x09\x0a]+)/
+#}
 
+# Doesn't seem specific enough.
 # >0  regex,=^union[ \t\n]+ (len=12), ["C source text"], swap_endian=0
-signature file-magic-auto565 {
-	file-mime "text/x-c", 42
-	file-magic /(^union[ \x09\x0a]+)/
-}
+#signature file-magic-auto565 {
+#	file-mime "text/x-c", 42
+#	file-magic /(^union[ \x09\x0a]+)/
+#}
 
 # The use of non-sequential offsets and relational operations made the
 # autogenerated signature incorrrect.
@@ -3810,7 +3817,7 @@ signature file-magic-auto567 {
 # >0  regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0
 signature file-magic-auto568 {
 	file-mime "text/x-c", 41
-	file-magic /(^char[ \x09\x0a]+)/
+	file-magic /(.*)(char[ \x09\x0a]+)/
 }
 
 # >0  search/1,=#! (len=2), [""], swap_endian=0
@@ -3911,11 +3918,12 @@ signature file-magic-auto581 {
 	file-magic /(.*)(main\x28)/
 }
 
+# Not specific enough.
 # >0  search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0
-signature file-magic-auto582 {
-	file-mime "text/troff", 40
-	file-magic /(.*)(\x5c\x22)/
-}
+#signature file-magic-auto582 {
+#	file-mime "text/troff", 40
+#	file-magic /(.*)(\x5c\x22)/
+#}
 
 # >0  search/4096,=(defparam  (len=10), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto583 {
@@ -3929,16 +3937,17 @@ signature file-magic-auto584 {
 	file-magic /(.*)(\x28autoload )/
 }
 
+#This signature seems too generic.
 # >0  search/1,=diff  (len=5), ["diff output text"], swap_endian=0
-signature file-magic-auto585 {
-	file-mime "text/x-diff", 40
-	file-magic /(.*)(diff )/
-}
+#signature file-magic-auto585 {
+#	file-mime "text/x-diff", 40
+#	file-magic /(.*)(diff )/
+#}
 
 # >0  regex,=^#include (len=9), ["C source text"], swap_endian=0
 signature file-magic-auto586 {
 	file-mime "text/x-c", 39
-	file-magic /(^#include)/
+	file-magic /(.*)(#include)/
 }
 
 # >0  search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0
@@ -4006,7 +4015,7 @@ signature file-magic-auto596 {
 # >0  regex,=^SUBDIRS (len=8), ["automake makefile script text"], swap_endian=0
 signature file-magic-auto597 {
 	file-mime "text/x-makefile", 38
-	file-magic /(^SUBDIRS)/
+	file-magic /(.*)(SUBDIRS)/
 }
 
 # >0  search/4096,=(defvar  (len=8), ["Lisp/Scheme program text"], swap_endian=0
@@ -4015,11 +4024,12 @@ signature file-magic-auto598 {
 	file-magic /(.*)(\x28defvar )/
 }
 
+# Not specific enough.
 # >0  regex,=^program (len=8), ["Pascal source text"], swap_endian=0
-signature file-magic-auto599 {
-	file-mime "text/x-pascal", 38
-	file-magic /(^program)/
-}
+#signature file-magic-auto599 {
+#	file-mime "text/x-pascal", 38
+#	file-magic /(^program)/
+#}
 
 # >0  search/1,=Only in  (len=8), ["diff output text"], swap_endian=0
 signature file-magic-auto600 {
@@ -4027,11 +4037,12 @@ signature file-magic-auto600 {
 	file-magic /(.*)(Only in )/
 }
 
+# This signature doesn't seem specific enough.
 # >0  search/1,=***  (len=4), ["diff output text"], swap_endian=0
-signature file-magic-auto601 {
-	file-mime "text/x-diff", 38
-	file-magic /(.*)(\x2a\x2a\x2a )/
-}
+#signature file-magic-auto601 {
+#	file-mime "text/x-diff", 38
+#	file-magic /(.*)(\x2a\x2a\x2a )/
+#}
 
 # >0  search/1,='.\" (len=4), ["troff or preprocessor input text"], swap_endian=0
 signature file-magic-auto602 {
@@ -4039,11 +4050,12 @@ signature file-magic-auto602 {
 	file-magic /(.*)(\x27\x2e\x5c\x22)/
 }
 
+# LDFLAGS appears in other contexts, e.g. shell script.
 # >0  regex,=^LDFLAGS (len=8), ["makefile script text"], swap_endian=0
-signature file-magic-auto603 {
-	file-mime "text/x-makefile", 38
-	file-magic /(^LDFLAGS)/
-}
+#signature file-magic-auto603 {
+#	file-mime "text/x-makefile", 38
+#	file-magic /(.*)(LDFLAGS)/
+#}
 
 # >0  search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0
 signature file-magic-auto604 {
@@ -4051,16 +4063,17 @@ signature file-magic-auto604 {
 	file-magic /(.*)(\x22libhdr\x22)/
 }
 
+# Not specific enough.
 # >0  regex,=^record (len=7), ["Pascal source text"], swap_endian=0
-signature file-magic-auto605 {
-	file-mime "text/x-pascal", 37
-	file-magic /(^record)/
-}
+#signature file-magic-auto605 {
+#	file-mime "text/x-pascal", 37
+#	file-magic /(^record)/
+#}
 
 # >0  regex,=^CFLAGS (len=7), ["makefile script text"], swap_endian=0
 signature file-magic-auto606 {
 	file-mime "text/x-makefile", 37
-	file-magic /(^CFLAGS)/
+	file-magic /(.*)(CFLAGS)/
 }
 
 # >0  search/4096,=(defun  (len=7), ["Lisp/Scheme program text"], swap_endian=0
@@ -4081,11 +4094,12 @@ signature file-magic-auto609 {
 	file-magic /(.*)(\x28input\x2c)/
 }
 
+# Not specific enough.
 # >0  search/1,=Index: (len=6), ["RCS/CVS diff output text"], swap_endian=0
-signature file-magic-auto610 {
-	file-mime "text/x-diff", 36
-	file-magic /(.*)(Index\x3a)/
-}
+#signature file-magic-auto610 {
+#	file-mime "text/x-diff", 44
+#	file-magic /(.*)(Index\x3a)/
+#}
 
 # >0  search/4096,=(setq  (len=6), ["Lisp/Scheme program text"], swap_endian=0
 signature file-magic-auto611 {
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index cf2c11be45..81e9870db8 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -65,10 +65,11 @@ export {
 		## A set of analysis types done during the file analysis.
 		analyzers: set[string] &log;
 
-		## A mime type provided by libmagic against the *bof_buffer*
-		## field of :bro:see:`fa_file`, or in the cases where no
-		## buffering of the beginning of file occurs, an initial
-		## guess of the mime type based on the first data seen.
+		## A mime type provided by the strongest file magic signature
+		## match against the *bof_buffer* field of :bro:see:`fa_file`,
+		## or in the cases where no buffering of the beginning of file
+		## occurs, an initial guess of the mime type based on the first
+		## data seen.
 		mime_type: string &log &optional;
 
 		## A filename for the file if one is available from the source
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d47704c3a8..352b8cc074 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -396,10 +396,15 @@ type fa_file: record {
 	## This is also the buffer that's used for file/mime type detection.
 	bof_buffer: string &optional;
 
-	## A mime type provided by libmagic against the *bof_buffer*, or
-	## in the cases where no buffering of the beginning of file occurs,
-	## an initial guess of the mime type based on the first data seen.
+	## The mime type of the strongest file magic signature matches against
+	## the data chunk in *bof_buffer*, or in the cases where no buffering
+	## of the beginning of file occurs, an initial guess of the mime type
+	## based on the first data seen.
 	mime_type: string &optional;
+
+	## All mime types that matched file magic signatures against the data
+	## chunk in *bof_buffer*, in order of their strength value.
+	mime_types: mime_matches &optional;
 } &redef;
 
 ## Fields of a SYN packet.
diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro
index 1a26b9be32..35b1920961 100644
--- a/scripts/policy/frameworks/files/detect-MHR.bro
+++ b/scripts/policy/frameworks/files/detect-MHR.bro
@@ -37,7 +37,7 @@ export {
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
 		{
 		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
diff --git a/src/bro.bif b/src/bro.bif
index e0bab31542..1029896295 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -872,24 +872,7 @@ function file_magic%(data: string%): mime_matches
 	%{
 	RuleMatcher::MIME_Matches matches;
 	file_mgr->DetectMIME(data->Bytes(), data->Len(), &matches);
-	VectorVal* rval = new VectorVal(mime_matches);
-
-	for ( RuleMatcher::MIME_Matches::const_iterator it = matches.begin();
-	      it != matches.end(); ++it )
-		{
-		RecordVal* element = new RecordVal(mime_match);
-
-		for ( set<string>::const_iterator it2 = it->second.begin();
-		      it2 != it->second.end(); ++it2 )
-			{
-			element->Assign(0, new Val(it->first, TYPE_INT));
-			element->Assign(1, new StringVal(*it2));
-			}
-
-		rval->Assign(rval->Size(), element);
-		}
-
-	return rval;
+	return file_analysis::GenMIMEMatchesVal(matches);
 	%}
 
 ## Performs an entropy test on the given data.
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index ad6e46bf79..6d3e6d5b73 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -53,6 +53,7 @@ int File::timeout_interval_idx = -1;
 int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
 int File::mime_type_idx = -1;
+int File::mime_types_idx = -1;
 
 void File::StaticInit()
 	{
@@ -73,6 +74,7 @@ void File::StaticInit()
 	bof_buffer_size_idx = Idx("bof_buffer_size");
 	bof_buffer_idx = Idx("bof_buffer");
 	mime_type_idx = Idx("mime_type");
+	mime_types_idx = Idx("mime_types");
 	}
 
 File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
@@ -280,12 +282,15 @@ bool File::BufferBOF(const u_char* data, uint64 len)
 
 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
-	string strongest_match = file_mgr->DetectMIME(data, len);
+	RuleMatcher::MIME_Matches matches;
+	file_mgr->DetectMIME(data, len, &matches);
 
-	if ( strongest_match.empty() )
+	if ( matches.empty() )
 		return false;
 
-	val->Assign(mime_type_idx, new StringVal(strongest_match));
+	val->Assign(mime_type_idx,
+	            new StringVal(*(matches.begin()->second.begin())));
+	val->Assign(mime_types_idx, file_analysis::GenMIMEMatchesVal(matches));
 	return true;
 	}
 
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 131121e9d4..86f60caf9f 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -283,6 +283,7 @@ private:
 	static int bof_buffer_size_idx;
 	static int bof_buffer_idx;
 	static int mime_type_idx;
+	static int mime_types_idx;
 };
 
 } // namespace file_analysis
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index a674bd6665..5ff7bd7186 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -425,3 +425,25 @@ string Manager::DetectMIME(const u_char* data, uint64 len) const
 
 	return *(matches.begin()->second.begin());
 	}
+
+VectorVal* file_analysis::GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m)
+	{
+	VectorVal* rval = new VectorVal(mime_matches);
+
+	for ( RuleMatcher::MIME_Matches::const_iterator it = m.begin();
+	      it != m.end(); ++it )
+		{
+		RecordVal* element = new RecordVal(mime_match);
+
+		for ( set<string>::const_iterator it2 = it->second.begin();
+		      it2 != it->second.end(); ++it2 )
+			{
+			element->Assign(0, new Val(it->first, TYPE_INT));
+			element->Assign(1, new StringVal(*it2));
+			}
+
+		rval->Assign(rval->Size(), element);
+		}
+
+	return rval;
+	}
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 7c46a0eeb7..1a15141a05 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -285,6 +285,7 @@ public:
 	 */
 	std::string DetectMIME(const u_char* data, uint64 len) const;
 
+
 protected:
 	friend class FileTimer;
 
@@ -370,6 +371,12 @@ private:
 	static string salt; /**< A salt added to file handles before hashing. */
 };
 
+/**
+ * Returns a script-layer value corresponding to the \c mime_matches type.
+ * @param m The MIME match information with which to populate the value.
+ */
+VectorVal* GenMIMEMatchesVal(const RuleMatcher::MIME_Matches& m);
+
 } // namespace file_analysis
 
 extern file_analysis::Manager* file_mgr;
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output
index aa4509513f..20eed17659 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/output
@@ -41,7 +41,7 @@ export {
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
 		{
 		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
index 64ef286c39..df36ae02a2 100644
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
@@ -4,7 +4,7 @@ detect-MHR.bro
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
 		{
 		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index 02cebb72d0..45ba977b4d 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -16,16 +16,16 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-03-03-22-45-14
+      #open	2014-03-06-17-30-44
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
       1389719059.311698	300.000000	text/html	1	4	53070
       1389719059.311698	300.000000	image/jpeg	1	1	186859
-      1389719059.311698	300.000000	text/troff	1	1	3180
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
+      1389719059.311698	300.000000	binary	1	1	3180
       1389719059.311698	300.000000	text/plain	1	12	113982
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-03-03-22-45-14
+      #close	2014-03-06-17-30-44
 
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
index aa4509513f..20eed17659 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
@@ -41,7 +41,7 @@ export {
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
 		{
 		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
index 64ef286c39..df36ae02a2 100644
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
@@ -4,7 +4,7 @@ detect-MHR.bro
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
 		{
 		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 		when ( local MHR_result = lookup_hostname_txt(hash_domain) )

From 2f5f0d84082895cb411268d523db85fc020807a6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 6 Mar 2014 17:08:45 -0600
Subject: [PATCH 083/220] Fix bug in Connection::FlipRoles, addresses BIT-1148.

It didn't swap address values right and also didn't consider that
analyzers might be scheduled for the new connection tuple.

Issues were reported by Kevin McMahon, thanks.
---
 src/Conn.cc             |  7 +++++--
 src/analyzer/Manager.cc | 22 ++++++++++++++++++++++
 src/analyzer/Manager.h  |  7 +++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/src/Conn.cc b/src/Conn.cc
index 0098d297e0..fa89f26d35 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -15,6 +15,7 @@
 #include "binpac.h"
 #include "TunnelEncapsulation.h"
 #include "analyzer/Analyzer.h"
+#include "analyzer/Manager.h"
 
 void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
 				int arg_do_expire)
@@ -722,8 +723,8 @@ TimerMgr* Connection::GetTimerMgr() const
 void Connection::FlipRoles()
 	{
 	IPAddr tmp_addr = resp_addr;
-	orig_addr = resp_addr;
-	resp_addr = tmp_addr;
+	resp_addr = orig_addr;
+	orig_addr = tmp_addr;
 
 	uint32 tmp_port = resp_port;
 	resp_port = orig_port;
@@ -742,6 +743,8 @@ void Connection::FlipRoles()
 
 	if ( root_analyzer )
 		root_analyzer->FlipRoles();
+
+	analyzer_mgr->ApplyScheduledAnalyzers(this);
 	}
 
 unsigned int Connection::MemoryAllocation() const
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 6268fde177..56b838b5b3 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -636,3 +636,25 @@ Manager::tag_set Manager::GetScheduled(const Connection* conn)
 	// eventually.
 	return result;
 	}
+
+void Manager::ApplyScheduledAnalyzers(Connection* conn)
+	{
+	TransportLayerAnalyzer* root = conn->GetRootAnalyzer();
+
+	if ( ! root )
+		return;
+
+	tag_set expected = GetScheduled(conn);
+
+	for ( tag_set::iterator it = expected.begin(); it != expected.end(); ++it )
+		{
+		Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*it, conn);
+
+		if ( ! analyzer )
+			continue;
+
+		root->AddChildAnalyzer(analyzer, true);
+		DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
+		                  analyzer_mgr->GetComponentName(*it));
+		}
+	}
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 77b40a1d68..8db2bf3a98 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -292,6 +292,13 @@ public:
 				TransportProto proto, const char* analyzer,
 				double timeout);
 
+	/**
+	 * Searched for analyzers scheduled to be attached to a given connection
+	 * and then attaches them.
+	 * @param conn The connection to which scheduled analyzers are attached.
+	 */
+	void ApplyScheduledAnalyzers(Connection* conn);
+
 	/**
 	 * Schedules a particular analyzer for an upcoming connection. Once
 	 * the connection is seen, BuildInitAnalyzerTree() will add the

From a56c3437151985a1d0e4c881c047796109fbd81d Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 10 Mar 2014 10:42:59 -0400
Subject: [PATCH 084/220] Refactored formatters and updated the the writers a
 bit.

 - Formatters have been abstracted similarly to readers and writers now.
 - The Ascii writer has a new option for writing out logs as JSON.
 - The Ascii writer now has all options availble as per-filter
   options as well as global.
---
 .../base/frameworks/logging/writers/ascii.bro |  21 ++-
 scripts/policy/tuning/json-logs.bro           |   4 +
 scripts/test-all-policy.bro                   |   1 +
 src/CMakeLists.txt                            |   4 +-
 src/input/readers/Ascii.cc                    |  20 +-
 src/input/readers/Ascii.h                     |   4 +-
 src/input/readers/Benchmark.cc                |   2 +-
 src/input/readers/Benchmark.h                 |   4 +-
 src/input/readers/SQLite.cc                   |   2 +-
 src/input/readers/SQLite.h                    |   4 +-
 src/logging.bif                               |   1 +
 src/logging/writers/Ascii.cc                  | 177 +++++++++++-------
 src/logging/writers/Ascii.h                   |   6 +-
 src/logging/writers/ElasticSearch.cc          | 140 +-------------
 src/logging/writers/ElasticSearch.h           |   3 +-
 src/logging/writers/SQLite.cc                 |   2 +-
 src/logging/writers/SQLite.h                  |   4 +-
 src/threading/Formatter.cc                    | 149 +++++++++++++++
 .../{AsciiFormatter.h => Formatter.h}         | 114 +++++------
 .../Ascii.cc}                                 | 176 ++++-------------
 src/threading/formatters/Ascii.h              |  62 ++++++
 src/threading/formatters/JSON.cc              | 177 ++++++++++++++++++
 src/threading/formatters/JSON.h               |  30 +++
 .../ssh.log                                   |   1 +
 .../base/frameworks/logging/ascii-json.bro    |  70 +++++++
 25 files changed, 750 insertions(+), 428 deletions(-)
 create mode 100644 scripts/policy/tuning/json-logs.bro
 create mode 100644 src/threading/Formatter.cc
 rename src/threading/{AsciiFormatter.h => Formatter.h} (55%)
 rename src/threading/{AsciiFormatter.cc => formatters/Ascii.cc} (67%)
 create mode 100644 src/threading/formatters/Ascii.h
 create mode 100644 src/threading/formatters/JSON.cc
 create mode 100644 src/threading/formatters/JSON.h
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
 create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-json.bro

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index e510874951..ab86e4641d 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -17,27 +17,38 @@ module LogAscii;
 export {
 	## If true, output everything to stdout rather than
 	## into files. This is primarily for debugging purposes.
+	## This is also available as a per-filter $config option.
 	const output_to_stdout = F &redef;
 
+	## If true, the default option will be to write logs in a JSON format.
+	## This is also available as a per-filter $config option.
+	const use_json = F &redef;
+
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
 	## the time when the file was opened and closed (the latter at the end).
+	## If writing in JSON format, this is implicitly disabled.
 	const include_meta = T &redef;
 
-	## Prefix for lines with meta information.
+	## Prefix for lines with meta information. This is also available as a 
+	## per-filter $config option.
 	const meta_prefix = "#" &redef;
 
-	## Separator between fields.
+	## Separator between fields.  This is also available as a per-filter 
+	## $config option.
 	const separator = Log::separator &redef;
 
-	## Separator between set elements.
+	## Separator between set elements.  This is also available as a 
+	## per-filter $config option.
 	const set_separator = Log::set_separator &redef;
 
 	## String to use for empty fields. This should be different from
-        ## *unset_field* to make the output unambiguous. 
+	## *unset_field* to make the output unambiguous.  This is also 
+	## available as a per-filter $config option.
 	const empty_field = Log::empty_field &redef;
 
-	## String to use for an unset &optional field.
+	## String to use for an unset &optional field.  This is also 
+	## available as a per-filter $config option.
 	const unset_field = Log::unset_field &redef;
 }
 
diff --git a/scripts/policy/tuning/json-logs.bro b/scripts/policy/tuning/json-logs.bro
new file mode 100644
index 0000000000..e7daf35063
--- /dev/null
+++ b/scripts/policy/tuning/json-logs.bro
@@ -0,0 +1,4 @@
+##! Loading this script will cause all logs to be written
+##! out as JSON by default.
+
+redef LogAscii::use_json=T;
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 3a0bd17614..254ad69533 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -93,6 +93,7 @@
 @load tuning/defaults/extracted_file_limits.bro
 @load tuning/defaults/packet-fragments.bro
 @load tuning/defaults/warnings.bro
+@load tuning/json-logs.bro
 @load tuning/logs-to-elasticsearch.bro
 @load tuning/track-all-assets.bro
 
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ecf8683ddd..0e990dd37b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -335,11 +335,13 @@ set(bro_SRCS
     strsep.c
     modp_numtoa.c
 
-    threading/AsciiFormatter.cc
     threading/BasicThread.cc
+    threading/Formatter.cc
     threading/Manager.cc
     threading/MsgThread.cc
     threading/SerialTypes.cc
+    threading/formatters/Ascii.cc
+    threading/formatters/JSON.cc
 
     logging/Manager.cc
     logging/WriterBackend.cc
diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc
index 3fc74480fc..4fd24de73d 100644
--- a/src/input/readers/Ascii.cc
+++ b/src/input/readers/Ascii.cc
@@ -69,13 +69,13 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
 			    BifConst::InputAscii::unset_field->Len());
 
-	ascii = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field));
+	formatter = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(string(), set_separator, unset_field, empty_field));
 }
 
 Ascii::~Ascii()
 	{
 	DoClose();
-	delete ascii;
+	delete formatter;
 	}
 
 void Ascii::DoClose()
@@ -173,7 +173,6 @@ bool Ascii::ReadHeader(bool useCached)
 			return false;
 			}
 
-
 		FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]);
 
 		if ( field->secondary_name && strlen(field->secondary_name) != 0 )
@@ -200,7 +199,7 @@ bool Ascii::ReadHeader(bool useCached)
 bool Ascii::GetLine(string& str)
 	{
 	while ( getline(*file, str) )
-       		{
+		{
 		if ( str[0] != '#' )
 			return true;
 
@@ -282,7 +281,7 @@ bool Ascii::DoUpdate()
 
 	file->sync();
 
-	while ( GetLine(line ) )
+	while ( GetLine(line) )
 		{
 		// split on tabs
 		bool error = false;
@@ -332,7 +331,7 @@ bool Ascii::DoUpdate()
 				return false;
 				}
 
-			Value* val = ascii->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
+			Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
 
 			if ( val == 0 )
 				{
@@ -347,7 +346,7 @@ bool Ascii::DoUpdate()
 				assert(val->type == TYPE_PORT );
 				//	Error(Fmt("Got type %d != PORT with secondary position!", val->type));
 
-				val->val.port_val.proto = ascii->ParseProto(stringfields[(*fit).secondary_position]);
+				val->val.port_val.proto = formatter->ParseProto(stringfields[(*fit).secondary_position]);
 				}
 
 			fields[fpos] = val;
@@ -384,8 +383,9 @@ bool Ascii::DoUpdate()
 	}
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
-{
-	switch ( Info().mode  ) {
+	{
+	switch ( Info().mode  ) 
+		{
 		case MODE_MANUAL:
 			// yay, we do nothing :)
 			break;
@@ -398,7 +398,7 @@ bool Ascii::DoHeartbeat(double network_time, double current_time)
 
 		default:
 			assert(false);
-	}
+		}
 
 	return true;
 	}
diff --git a/src/input/readers/Ascii.h b/src/input/readers/Ascii.h
index 934ea9a258..5d6bc71d54 100644
--- a/src/input/readers/Ascii.h
+++ b/src/input/readers/Ascii.h
@@ -7,7 +7,7 @@
 #include <vector>
 
 #include "../ReaderBackend.h"
-#include "threading/AsciiFormatter.h"
+#include "threading/formatters/Ascii.h"
 
 namespace input { namespace reader {
 
@@ -64,7 +64,7 @@ private:
 	string empty_field;
 	string unset_field;
 
-	AsciiFormatter* ascii;
+	threading::formatter::Formatter* formatter;
 };
 
 
diff --git a/src/input/readers/Benchmark.cc b/src/input/readers/Benchmark.cc
index ec6b382ebb..de7eae8cc8 100644
--- a/src/input/readers/Benchmark.cc
+++ b/src/input/readers/Benchmark.cc
@@ -29,7 +29,7 @@ Benchmark::Benchmark(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	heartbeatstarttime = 0;
 	heartbeat_interval = double(BifConst::Threading::heartbeat_interval);
 
-	ascii = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo());
+	ascii = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo());
 	}
 
 Benchmark::~Benchmark()
diff --git a/src/input/readers/Benchmark.h b/src/input/readers/Benchmark.h
index ad61b7d2a4..3296f3a85e 100644
--- a/src/input/readers/Benchmark.h
+++ b/src/input/readers/Benchmark.h
@@ -4,7 +4,7 @@
 #define INPUT_READERS_BENCHMARK_H
 
 #include "../ReaderBackend.h"
-#include "threading/AsciiFormatter.h"
+#include "threading/formatters/Ascii.h"
 
 namespace input { namespace reader {
 
@@ -40,7 +40,7 @@ private:
 	double timedspread;
 	double heartbeat_interval;
 
-	AsciiFormatter* ascii;
+	threading::formatter::Ascii* ascii;
 };
 
 
diff --git a/src/input/readers/SQLite.cc b/src/input/readers/SQLite.cc
index 794b8059ba..d032f934a7 100644
--- a/src/input/readers/SQLite.cc
+++ b/src/input/readers/SQLite.cc
@@ -36,7 +36,7 @@ SQLite::SQLite(ReaderFrontend *frontend)
 			BifConst::InputSQLite::empty_field->Len()
 			);
 
-	io = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field));
+	io = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(string(), set_separator, unset_field, empty_field));
 	}
 
 SQLite::~SQLite()
diff --git a/src/input/readers/SQLite.h b/src/input/readers/SQLite.h
index cdea9808c0..a98b3e06b8 100644
--- a/src/input/readers/SQLite.h
+++ b/src/input/readers/SQLite.h
@@ -10,7 +10,7 @@
 
 #include "../ReaderBackend.h"
 
-#include "threading/AsciiFormatter.h"
+#include "threading/formatters/Ascii.h"
 #include "3rdparty/sqlite3.h"
 
 namespace input { namespace reader {
@@ -40,7 +40,7 @@ private:
 	string query;
 	sqlite3 *db;
 	sqlite3_stmt *st;
-	AsciiFormatter* io;
+	threading::formatter::Ascii* io;
 
 	string set_separator;
 	string unset_field;
diff --git a/src/logging.bif b/src/logging.bif
index 1927e149c0..2e8a1eb3a4 100644
--- a/src/logging.bif
+++ b/src/logging.bif
@@ -77,6 +77,7 @@ const separator: string;
 const set_separator: string;
 const empty_field: string;
 const unset_field: string;
+const use_json: bool;
 
 # Options for the DataSeries writer.
 
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index 1a9cc5c4cd..bd5d175d3a 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -10,8 +10,7 @@
 
 #include "Ascii.h"
 
-using namespace logging;
-using namespace writer;
+using namespace logging::writer;
 using threading::Value;
 using threading::Field;
 
@@ -20,9 +19,46 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	fd = 0;
 	ascii_done = false;
 	tsv = false;
+	}
 
+Ascii::~Ascii()
+	{
+	if ( ! ascii_done )
+		{
+		fprintf(stderr, "internal error: finish missing\n");
+		abort();
+		}
+
+	delete formatter;
+	}
+
+bool Ascii::WriteHeaderField(const string& key, const string& val)
+	{
+	string str = meta_prefix + key + separator + val + "\n";
+
+	return safe_write(fd, str.c_str(), str.length());
+	}
+
+void Ascii::CloseFile(double t)
+	{
+	if ( ! fd )
+		return;
+
+	if ( include_meta && ! tsv )
+		WriteHeaderField("close", Timestamp(0));
+
+	safe_close(fd);
+	fd = 0;
+	}
+
+bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
+	{
+	assert(! fd);
+
+	// Set some default values.
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
+	use_json = BifConst::LogAscii::use_json;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -49,48 +85,81 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 			BifConst::LogAscii::meta_prefix->Len()
 			);
 
-	desc.EnableEscaping();
-	desc.AddEscapeSequence(separator);
-
-	ascii = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field));
-	}
-
-Ascii::~Ascii()
-	{
-	if ( ! ascii_done )
+	// Set per-filter configuration options.
+	for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
-		fprintf(stderr, "internal error: finish missing\n");
-		abort();
+		if ( strcmp(i->first, "tsv") == 0 )
+			{
+			if ( strcmp(i->second, "T") == 0 )
+				tsv = true;
+			else if ( strcmp(i->second, "F") == 0 )
+				tsv = false;
+			else
+				{
+				Error("invalid value for 'tsv', must be a string and either \"T\" or \"F\"");
+				return false;
+				}
+			}
+
+		else if ( strcmp(i->first, "use_json") == 0 )
+			{
+			if ( strcmp(i->second, "T") == 0 )
+				use_json = true;
+			else if ( strcmp(i->second, "F") == 0 )
+				use_json = false;
+			else
+				{
+				Error("invalid value for 'use_json', must be a string and either \"T\" or \"F\"");
+				return false;
+				}
+			}
+
+		else if ( strcmp(i->first, "output_to_stdout") == 0 )
+			{
+			if ( strcmp(i->second, "T") == 0 )
+				output_to_stdout = true;
+			else if ( strcmp(i->second, "F") == 0 )
+				output_to_stdout = false;
+			else
+				{
+				Error("invalid value for 'output_to_stdout', must be a string and either \"T\" or \"F\"");
+				return false;
+				}
+			}
+
+		else if ( strcmp(i->first, "separator") == 0 )
+			separator.assign(i->second);
+		
+		else if ( strcmp(i->first, "set_separator") == 0 )
+			set_separator.assign(i->second);
+		
+		else if ( strcmp(i->first, "empty_field") == 0 )
+			empty_field.assign(i->second);
+
+		else if ( strcmp(i->first, "unset_field") == 0 )
+			unset_field.assign(i->second);
+
+		else if ( strcmp(i->first, "meta_prefix") == 0 )
+			meta_prefix.assign(i->second);
 		}
 
-	delete ascii;
-	}
 
-bool Ascii::WriteHeaderField(const string& key, const string& val)
-	{
-	string str = meta_prefix + key + separator + val + "\n";
-
-	return safe_write(fd, str.c_str(), str.length());
-	}
-
-void Ascii::CloseFile(double t)
-	{
-	if ( ! fd )
-		return;
-
-	if ( include_meta && ! tsv )
-		WriteHeaderField("close", Timestamp(0));
-
-	safe_close(fd);
-	fd = 0;
-	}
-
-bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
-	{
-	assert(! fd);
+	if ( use_json )
+		{
+		// Write out JSON formatted logs.
+		formatter = new threading::formatter::JSON(this);
+		// Using JSON implicitly turns off the header meta fields.
+		include_meta = false;
+		}
+	else
+		{
+		// Use the default "Bro logs" format.
+		desc.EnableEscaping();
+		desc.AddEscapeSequence(separator);
+		formatter = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(separator, set_separator, unset_field, empty_field));
+		}
 
 	string path = info.path;
-
 	if ( output_to_stdout )
 		path = "/dev/stdout";
 
@@ -106,24 +175,6 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		return false;
 		}
 
-	for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
-		{
-		if ( strcmp(i->first, "tsv") == 0 )
-			{
-			if ( strcmp(i->second, "T") == 0 )
-				tsv = true;
-
-			else if ( strcmp(i->second, "F") == 0 )
-				tsv = false;
-
-			else
-				{
-				Error("invalid value for 'tsv', must be a string and either \"T\" or \"F\"");
-				return false;
-				}
-			}
-		}
-
 	if ( include_meta )
 		{
 		string names;
@@ -208,17 +259,9 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 		DoInit(Info(), NumFields(), Fields());
 
 	desc.Clear();
-
-	for ( int i = 0; i < num_fields; i++ )
-		{
-		if ( i > 0 )
-			desc.AddRaw(separator);
-
-		if ( ! ascii->Describe(&desc, vals[i], fields[i]->name) )
-			return false;
-		}
-
-	desc.AddRaw("\n", 1);
+	if ( ! formatter->Describe(&desc, num_fields, fields, vals) )
+		return false;
+	desc.AddRaw("\n");
 
 	const char* bytes = (const char*)desc.Bytes();
 	int len = desc.Len();
diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h
index 0ddcada57b..08af465ff4 100644
--- a/src/logging/writers/Ascii.h
+++ b/src/logging/writers/Ascii.h
@@ -6,7 +6,8 @@
 #define LOGGING_WRITER_ASCII_H
 
 #include "../WriterBackend.h"
-#include "threading/AsciiFormatter.h"
+#include "threading/formatters/Ascii.h"
+#include "threading/formatters/JSON.h"
 
 namespace logging { namespace writer {
 
@@ -46,6 +47,7 @@ private:
 	bool output_to_stdout;
 	bool include_meta;
 	bool tsv;
+	bool use_json;
 
 	string separator;
 	string set_separator;
@@ -53,7 +55,7 @@ private:
 	string unset_field;
 	string meta_prefix;
 
-	AsciiFormatter* ascii;
+	threading::formatter::Formatter* formatter;
 };
 
 }
diff --git a/src/logging/writers/ElasticSearch.cc b/src/logging/writers/ElasticSearch.cc
index b22c3f4ab6..cec5bac80e 100644
--- a/src/logging/writers/ElasticSearch.cc
+++ b/src/logging/writers/ElasticSearch.cc
@@ -16,7 +16,6 @@
 #include "BroString.h"
 #include "NetVar.h"
 #include "threading/SerialTypes.h"
-#include "threading/AsciiFormatter.h"
 
 #include <curl/curl.h>
 #include <curl/easy.h>
@@ -53,13 +52,13 @@ ElasticSearch::ElasticSearch(WriterFrontend* frontend) : WriterBackend(frontend)
 
 	curl_handle = HTTPSetup();
 
-	ascii = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo());
+	json = new threading::formatter::JSON(this);
 }
 
 ElasticSearch::~ElasticSearch()
 	{
 	delete [] cluster_name;
-	delete ascii;
+	delete json;
 	}
 
 bool ElasticSearch::DoInit(const WriterInfo& info, int num_fields, const threading::Field* const* fields)
@@ -98,133 +97,7 @@ bool ElasticSearch::BatchIndex()
 	return true;
 	}
 
-bool ElasticSearch::AddValueToBuffer(ODesc* b, Value* val)
-	{
-	switch ( val->type )
-		{
-		// ES treats 0 as false and any other value as true so bool types go here.
-		case TYPE_BOOL:
-		case TYPE_INT:
-			b->Add(val->val.int_val);
-			break;
 
-		case TYPE_COUNT:
-		case TYPE_COUNTER:
-			{
-			// ElasticSearch doesn't seem to support unsigned 64bit ints.
-			if ( val->val.uint_val >= INT64_MAX )
-				{
-				Error(Fmt("count value too large: %" PRIu64, val->val.uint_val));
-				b->AddRaw("null", 4);
-				}
-			else
-				b->Add(val->val.uint_val);
-			break;
-			}
-
-		case TYPE_PORT:
-			b->Add(val->val.port_val.port);
-			break;
-
-		case TYPE_SUBNET:
-			b->AddRaw("\"", 1);
-			b->Add(ascii->Render(val->val.subnet_val));
-			b->AddRaw("\"", 1);
-			break;
-
-		case TYPE_ADDR:
-			b->AddRaw("\"", 1);
-			b->Add(ascii->Render(val->val.addr_val));
-			b->AddRaw("\"", 1);
-			break;
-
-		case TYPE_DOUBLE:
-		case TYPE_INTERVAL:
-			b->Add(val->val.double_val);
-			break;
-
-		case TYPE_TIME:
-			{
-			// ElasticSearch uses milliseconds for timestamps and json only
-			// supports signed ints (uints can be too large).
-			uint64_t ts = (uint64_t) (val->val.double_val * 1000);
-			if ( ts >= INT64_MAX )
-				{
-				Error(Fmt("time value too large: %" PRIu64, ts));
-				b->AddRaw("null", 4);
-				}
-			else
-				b->Add(ts);
-			break;
-			}
-
-		case TYPE_ENUM:
-		case TYPE_STRING:
-		case TYPE_FILE:
-		case TYPE_FUNC:
-			{
-			b->AddRaw("\"", 1);
-			for ( int i = 0; i < val->val.string_val.length; ++i )
-				{
-				char c = val->val.string_val.data[i];
-				// 2byte Unicode escape special characters.
-				if ( c < 32 || c > 126 || c == '\n' || c == '"' || c == '\'' || c == '\\' || c == '&' )
-					{
-					static const char hex_chars[] = "0123456789abcdef";
-					b->AddRaw("\\u00", 4);
-					b->AddRaw(&hex_chars[(c & 0xf0) >> 4], 1);
-					b->AddRaw(&hex_chars[c & 0x0f], 1);
-					}
-				else
-					b->AddRaw(&c, 1);
-				}
-			b->AddRaw("\"", 1);
-			break;
-			}
-
-		case TYPE_TABLE:
-			{
-			b->AddRaw("[", 1);
-			for ( int j = 0; j < val->val.set_val.size; j++ )
-				{
-				if ( j > 0 )
-					b->AddRaw(",", 1);
-				AddValueToBuffer(b, val->val.set_val.vals[j]);
-				}
-			b->AddRaw("]", 1);
-			break;
-			}
-
-		case TYPE_VECTOR:
-			{
-			b->AddRaw("[", 1);
-			for ( int j = 0; j < val->val.vector_val.size; j++ )
-				{
-				if ( j > 0 )
-					b->AddRaw(",", 1);
-				AddValueToBuffer(b, val->val.vector_val.vals[j]);
-				}
-			b->AddRaw("]", 1);
-			break;
-			}
-
-		default:
-			return false;
-		}
-	return true;
-	}
-
-bool ElasticSearch::AddFieldToBuffer(ODesc *b, Value* val, const Field* field)
-	{
-	if ( ! val->present )
-		return false;
-
-	b->AddRaw("\"", 1);
-	b->Add(field->name);
-	b->AddRaw("\":", 2);
-	AddValueToBuffer(b, val);
-	return true;
-	}
 
 bool ElasticSearch::DoWrite(int num_fields, const Field* const * fields,
 			     Value** vals)
@@ -239,14 +112,7 @@ bool ElasticSearch::DoWrite(int num_fields, const Field* const * fields,
 	buffer.Add(Info().path);
 	buffer.AddRaw("\"}}\n", 4);
 
-	buffer.AddRaw("{", 1);
-	for ( int i = 0; i < num_fields; i++ )
-		{
-		if ( i > 0 && buffer.Bytes()[buffer.Len()] != ',' && vals[i]->present )
-			buffer.AddRaw(",", 1);
-		AddFieldToBuffer(&buffer, vals[i], fields[i]);
-		}
-	buffer.AddRaw("}\n", 2);
+	json->Describe(&buffer, num_fields, fields, vals);
 
 	counter++;
 	if ( counter >= BifConst::LogElasticSearch::max_batch_size ||
diff --git a/src/logging/writers/ElasticSearch.h b/src/logging/writers/ElasticSearch.h
index b7aba09964..283fff2972 100644
--- a/src/logging/writers/ElasticSearch.h
+++ b/src/logging/writers/ElasticSearch.h
@@ -9,6 +9,7 @@
 #define LOGGING_WRITER_ELASTICSEARCH_H
 
 #include <curl/curl.h>
+#include "threading/formatters/JSON.h"
 #include "../WriterBackend.h"
 
 namespace logging { namespace writer {
@@ -73,7 +74,7 @@ private:
 
 	uint64 batch_size;
 
-	AsciiFormatter* ascii;
+	threading::formatter::JSON* json;
 };
 
 }
diff --git a/src/logging/writers/SQLite.cc b/src/logging/writers/SQLite.cc
index 25f5cb012e..968345696d 100644
--- a/src/logging/writers/SQLite.cc
+++ b/src/logging/writers/SQLite.cc
@@ -35,7 +35,7 @@ SQLite::SQLite(WriterFrontend* frontend)
 			BifConst::LogSQLite::empty_field->Len()
 			);
 
-	io = new AsciiFormatter(this, AsciiFormatter::SeparatorInfo(set_separator, unset_field, empty_field));
+	io = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(string(), set_separator, unset_field, empty_field));
 	}
 
 SQLite::~SQLite()
diff --git a/src/logging/writers/SQLite.h b/src/logging/writers/SQLite.h
index b70381ebf6..a962e903ff 100644
--- a/src/logging/writers/SQLite.h
+++ b/src/logging/writers/SQLite.h
@@ -9,7 +9,7 @@
 
 #include "../WriterBackend.h"
 
-#include "threading/AsciiFormatter.h"
+#include "threading/formatters/Ascii.h"
 #include "3rdparty/sqlite3.h"
 
 namespace logging { namespace writer {
@@ -51,7 +51,7 @@ private:
 	string unset_field;
 	string empty_field;
 
-	AsciiFormatter* io;
+	threading::formatter::Ascii* io;
 };
 
 }
diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc
new file mode 100644
index 0000000000..12037a741b
--- /dev/null
+++ b/src/threading/Formatter.cc
@@ -0,0 +1,149 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sstream>
+#include <errno.h>
+
+#include "Formatter.h"
+#include "bro_inet_ntop.h"
+
+using namespace threading;
+using namespace formatter;
+using threading::Value;
+using threading::Field;
+
+Formatter::Formatter(threading::MsgThread* t)
+	{
+	thread = t;
+	}
+
+Formatter::~Formatter()
+	{
+	}
+
+bool Formatter::CheckNumberError(const string& s, const char* end) const
+	{
+	// Do this check first, before executing s.c_str() or similar.
+	// otherwise the value to which *end is pointing at the moment might
+	// be gone ...
+	bool endnotnull =  (*end != '\0');
+
+	if ( s.length() == 0 )
+		{
+		thread->Error("Got empty string for number field");
+		return true;
+		}
+
+	if ( end == s.c_str() ) {
+		thread->Error(thread->Fmt("String '%s' contained no parseable number", s.c_str()));
+		return true;
+	}
+
+	if ( endnotnull )
+		thread->Warning(thread->Fmt("Number '%s' contained non-numeric trailing characters. Ignored trailing characters '%s'", s.c_str(), end));
+
+	if ( errno == EINVAL )
+		{
+		thread->Error(thread->Fmt("String '%s' could not be converted to a number", s.c_str()));
+		return true;
+		}
+
+	else if ( errno == ERANGE )
+		{
+		thread->Error(thread->Fmt("Number '%s' out of supported range.", s.c_str()));
+		return true;
+		}
+
+	return false;
+	}
+
+string Formatter::Render(const threading::Value::addr_t& addr) const
+	{
+	if ( addr.family == IPv4 )
+		{
+		char s[INET_ADDRSTRLEN];
+
+		if ( ! bro_inet_ntop(AF_INET, &addr.in.in4, s, INET_ADDRSTRLEN) )
+			return "<bad IPv4 address conversion>";
+		else
+			return s;
+		}
+	else
+		{
+		char s[INET6_ADDRSTRLEN];
+
+		if ( ! bro_inet_ntop(AF_INET6, &addr.in.in6, s, INET6_ADDRSTRLEN) )
+			return "<bad IPv6 address conversion>";
+		else
+			return s;
+		}
+	}
+
+TransportProto Formatter::ParseProto(const string &proto) const
+	{
+	if ( proto == "unknown" )
+		return TRANSPORT_UNKNOWN;
+	else if ( proto == "tcp" )
+		return TRANSPORT_TCP;
+	else if ( proto == "udp" )
+		return TRANSPORT_UDP;
+	else if ( proto == "icmp" )
+		return TRANSPORT_ICMP;
+
+	thread->Error(thread->Fmt("Tried to parse invalid/unknown protocol: %s", proto.c_str()));
+
+	return TRANSPORT_UNKNOWN;
+	}
+
+
+// More or less verbose copy from IPAddr.cc -- which uses reporter.
+threading::Value::addr_t Formatter::ParseAddr(const string &s) const
+	{
+		threading::Value::addr_t val;
+
+	if ( s.find(':') == std::string::npos ) // IPv4.
+		{
+		val.family = IPv4;
+
+		if ( inet_aton(s.c_str(), &(val.in.in4)) <= 0 )
+			{
+			thread->Error(thread->Fmt("Bad address: %s", s.c_str()));
+			memset(&val.in.in4.s_addr, 0, sizeof(val.in.in4.s_addr));
+			}
+		}
+
+	else
+		{
+		val.family = IPv6;
+		if ( inet_pton(AF_INET6, s.c_str(), val.in.in6.s6_addr) <=0 )
+			{
+			thread->Error(thread->Fmt("Bad address: %s", s.c_str()));
+			memset(val.in.in6.s6_addr, 0, sizeof(val.in.in6.s6_addr));
+			}
+		}
+
+	return val;
+	}
+
+string Formatter::Render(const threading::Value::subnet_t& subnet) const
+	{
+	char l[16];
+
+	if ( subnet.prefix.family == IPv4 )
+		modp_uitoa10(subnet.length - 96, l);
+	else
+		modp_uitoa10(subnet.length, l);
+
+	string s = Render(subnet.prefix) + "/" + l;
+
+	return s;
+	}
+
+string Formatter::Render(double d) const
+	{
+	char buf[256];
+	modp_dtoa(d, buf, 6);
+	return buf;
+	}
+
diff --git a/src/threading/AsciiFormatter.h b/src/threading/Formatter.h
similarity index 55%
rename from src/threading/AsciiFormatter.h
rename to src/threading/Formatter.h
index 1522e46191..c5f6cb4296 100644
--- a/src/threading/AsciiFormatter.h
+++ b/src/threading/Formatter.h
@@ -1,42 +1,20 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#ifndef THREADING_ASCII_FORMATTER_H
-#define THREADING_ASCII_FORMATTER_H
+#ifndef THREADING_FORMATTER_H
+#define THREADING_FORMATTER_H
 
 #include "../Desc.h"
 #include "MsgThread.h"
 
+namespace threading { namespace formatter {
+
 /**
-  * A thread-safe class for converting values into a readable ASCII
-  * representation, and vice versa. This is a utility class that factors out
-  * common rendering/parsing code needed by a number of input/output threads.
+  * A thread-safe class for converting values into some textual format. 
+  * This is a base class that implements the interface forcommon 
+  * rendering/parsing code needed by a number of input/output threads.
   */
-class AsciiFormatter {
+class Formatter {
 public:
-	/**
-	 * A struct to pass the necessary configuration values to the
-	 * AsciiFormatter module on initialization.
-	 */
-	struct SeparatorInfo
-		{
-		string set_separator;	// Separator between set elements.
-		string unset_field;	// String marking an unset field.
-		string empty_field;	// String marking an empty (but set) field.
-
-		/**
-		 * Constructor that leaves separators etc unset to dummy
-		 * values. Useful if you use only methods that don't need any
-		 * of them, like StringToAddr, etc.
-		 */
-		SeparatorInfo();
-
-		/**
-		 * Constructor that defines all the configuration options.
-		 * Use if you need either ValToODesc or EntryToVal.
-		 */
-		SeparatorInfo(const string& set_separator, const string& unset_field, const string& empty_field);
-		};
-
 	/**
 	 * Constructor.
 	 *
@@ -44,31 +22,69 @@ public:
 	 * some of the thread's methods, e.g., for error reporting and
 	 * internal formatting.
 	 *
-	 * @param info SeparatorInfo structure defining the necessary
-	 * separators.
 	 */
-	AsciiFormatter(threading::MsgThread* t, const SeparatorInfo info);
+	Formatter(threading::MsgThread* t);
 
 	/**
 	 * Destructor.
 	 */
-	~AsciiFormatter();
+	virtual ~Formatter();
 
 	/**
-	 * Convert a threading value into a corresponding ASCII.
-	 * representation.
+	 * Convert a list of threading values into an implementation specific representation.
+	 *
+	 * @param desc The ODesc object to write to.
+	 *
+	 * @param num_fields The number of fields in the logging record.
+	 *
+	 * @param fields Information about the fields for each of the given log values.
+	 *
+	 * @param vals The field values.
+	 *
+	 * @return Returns true on success, false on error. Errors are also
+	 * flagged via the reporter.
+	 */
+	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+	                      threading::Value** vals) const = 0;
+
+	/**
+	 * Convert a threading value into an implementation specific representation.
 	 *
 	 * @param desc The ODesc object to write to.
 	 *
 	 * @param val the Value to render to the ODesc object.
 	 *
-	 * @param The name of a field associated with the value. Used only
-	 * for error reporting.
+	 * @return Returns true on success, false on error. Errors are also
+	 * flagged via the reporter.
+	 */
+	virtual bool Describe(ODesc* desc, threading::Value* val) const = 0;
+
+	/**
+	 * Convert a threading value into an implementation specific representation.
+	 *
+	 * @param desc The ODesc object to write to.
+	 *
+	 * @param val the Value to render to the ODesc object.
+	 *
+	 * @param The name of a field associated with the value.
 	 *
 	 * @return Returns true on success, false on error. Errors are also
 	 * flagged via the reporter.
 	 */
-	bool Describe(ODesc* desc, threading::Value* val, const string& name) const;
+	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name) const = 0;
+
+	/**
+	 * Convert a representation of a field into a value.
+	 *
+	 * @param s The string to parse.
+	 *
+	 * @param The name of a field associated with the value. Used only
+	 * for error reporting.
+	 *
+	 * @return The new value, or null on error. Errors are also flagged
+	 * via the reporter.
+	 */
+	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const = 0;
 
 	/**
 	 * Convert an IP address into a string.
@@ -98,19 +114,6 @@ public:
 	 */
 	string Render(double d) const;
 
-	/**
-	 * Convert the ASCII representation of a field into a value.
-	 *
-	 * @param s The string to parse.
-	 *
-	 * @param The name of a field associated with the value. Used only
-	 * for error reporting.
-	 *
-	 * @return The new value, or null on error. Errors are also flagged
-	 * via the reporter.
-	 */
-	threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
-
 	/**
 	 * Convert a string into a TransportProto. The string must be one of
 	 * \c tcp, \c udp, \c icmp, or \c unknown.
@@ -132,11 +135,12 @@ public:
 	 */
 	threading::Value::addr_t ParseAddr(const string &addr) const;
 
-private:
+protected:
 	bool CheckNumberError(const string& s, const char * end) const;
 
-	SeparatorInfo separators;
 	threading::MsgThread* thread;
 };
 
-#endif /* THREADING_ASCII_FORMATTER_H */
+}}
+
+#endif /* THREADING_FORMATTER_H */
diff --git a/src/threading/AsciiFormatter.cc b/src/threading/formatters/Ascii.cc
similarity index 67%
rename from src/threading/AsciiFormatter.cc
rename to src/threading/formatters/Ascii.cc
index 616abbe2b6..6457f3c782 100644
--- a/src/threading/AsciiFormatter.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -5,35 +5,59 @@
 #include <sstream>
 #include <errno.h>
 
-#include "AsciiFormatter.h"
-#include "bro_inet_ntop.h"
+#include "./Ascii.h"
 
-AsciiFormatter::SeparatorInfo::SeparatorInfo()
+using namespace threading::formatter;
+
+Ascii::SeparatorInfo::SeparatorInfo()
 	{
+	this->separator = "SHOULD_NOT_BE_USED";
 	this->set_separator = "SHOULD_NOT_BE_USED";
 	this->unset_field = "SHOULD_NOT_BE_USED";
 	this->empty_field = "SHOULD_NOT_BE_USED";
 	}
 
-AsciiFormatter::SeparatorInfo::SeparatorInfo(const string & set_separator,
-				 const string & unset_field, const string & empty_field)
+Ascii::SeparatorInfo::SeparatorInfo(const string & separator,
+                                    const string & set_separator,
+                                    const string & unset_field,
+                                    const string & empty_field)
 	{
+	this->separator = separator;
 	this->set_separator = set_separator;
 	this->unset_field = unset_field;
 	this->empty_field = empty_field;
 	}
 
-AsciiFormatter::AsciiFormatter(threading::MsgThread* t, const SeparatorInfo info)
+Ascii::Ascii(threading::MsgThread* t, const SeparatorInfo info) : Formatter(t)
 	{
-	thread = t;
 	this->separators = info;
 	}
 
-AsciiFormatter::~AsciiFormatter()
+Ascii::~Ascii()
 	{
 	}
 
-bool AsciiFormatter::Describe(ODesc* desc, threading::Value* val, const string& name) const
+bool Ascii::Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+                     threading::Value** vals) const
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( i > 0 )
+			desc->AddRaw(separators.separator);
+
+		if ( ! Describe(desc, vals[i], fields[i]->name) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) const
+	{
+	return Describe(desc, val);
+	}
+
+bool Ascii::Describe(ODesc* desc, threading::Value* val) const
 	{
 	if ( ! val->present )
 		{
@@ -133,7 +157,7 @@ bool AsciiFormatter::Describe(ODesc* desc, threading::Value* val, const string&
 			if ( j > 0 )
 				desc->AddRaw(separators.set_separator);
 
-			if ( ! Describe(desc, val->val.set_val.vals[j], name) )
+			if ( ! Describe(desc, val->val.set_val.vals[j]) )
 				{
 				desc->RemoveEscapeSequence(separators.set_separator);
 				return false;
@@ -158,7 +182,7 @@ bool AsciiFormatter::Describe(ODesc* desc, threading::Value* val, const string&
 			if ( j > 0 )
 				desc->AddRaw(separators.set_separator);
 
-			if ( ! Describe(desc, val->val.vector_val.vals[j], name) )
+			if ( ! Describe(desc, val->val.vector_val.vals[j]) )
 				{
 				desc->RemoveEscapeSequence(separators.set_separator);
 				return false;
@@ -170,7 +194,7 @@ bool AsciiFormatter::Describe(ODesc* desc, threading::Value* val, const string&
 		}
 
 	default:
-		thread->Error(thread->Fmt("unsupported field format %d for %s", val->type, name.c_str()));
+		thread->Error(thread->Fmt("Ascii writer unsupported field format %d", val->type));
 		return false;
 	}
 
@@ -178,7 +202,7 @@ bool AsciiFormatter::Describe(ODesc* desc, threading::Value* val, const string&
 	}
 
 
-threading::Value* AsciiFormatter::ParseValue(string s, string name, TypeTag type, TypeTag subtype) const
+threading::Value* Ascii::ParseValue(string s, string name, TypeTag type, TypeTag subtype) const
 	{
 	if ( s.compare(separators.unset_field) == 0 )  // field is not set...
 		return new threading::Value(type, false);
@@ -381,129 +405,3 @@ parse_error:
 	delete val;
 	return 0;
 	}
-
-bool AsciiFormatter::CheckNumberError(const string& s, const char* end) const
-	{
-	// Do this check first, before executing s.c_str() or similar.
-	// otherwise the value to which *end is pointing at the moment might
-	// be gone ...
-	bool endnotnull =  (*end != '\0');
-
-	if ( s.length() == 0 )
-		{
-		thread->Error("Got empty string for number field");
-		return true;
-		}
-
-	if ( end == s.c_str() ) {
-		thread->Error(thread->Fmt("String '%s' contained no parseable number", s.c_str()));
-		return true;
-	}
-
-	if ( endnotnull )
-		thread->Warning(thread->Fmt("Number '%s' contained non-numeric trailing characters. Ignored trailing characters '%s'", s.c_str(), end));
-
-	if ( errno == EINVAL )
-		{
-		thread->Error(thread->Fmt("String '%s' could not be converted to a number", s.c_str()));
-		return true;
-		}
-
-	else if ( errno == ERANGE )
-		{
-		thread->Error(thread->Fmt("Number '%s' out of supported range.", s.c_str()));
-		return true;
-		}
-
-	return false;
-	}
-
-string AsciiFormatter::Render(const threading::Value::addr_t& addr) const
-	{
-	if ( addr.family == IPv4 )
-		{
-		char s[INET_ADDRSTRLEN];
-
-		if ( ! bro_inet_ntop(AF_INET, &addr.in.in4, s, INET_ADDRSTRLEN) )
-			return "<bad IPv4 address conversion>";
-		else
-			return s;
-		}
-	else
-		{
-		char s[INET6_ADDRSTRLEN];
-
-		if ( ! bro_inet_ntop(AF_INET6, &addr.in.in6, s, INET6_ADDRSTRLEN) )
-			return "<bad IPv6 address conversion>";
-		else
-			return s;
-		}
-	}
-
-TransportProto AsciiFormatter::ParseProto(const string &proto) const
-	{
-	if ( proto == "unknown" )
-		return TRANSPORT_UNKNOWN;
-	else if ( proto == "tcp" )
-		return TRANSPORT_TCP;
-	else if ( proto == "udp" )
-		return TRANSPORT_UDP;
-	else if ( proto == "icmp" )
-		return TRANSPORT_ICMP;
-
-	thread->Error(thread->Fmt("Tried to parse invalid/unknown protocol: %s", proto.c_str()));
-
-	return TRANSPORT_UNKNOWN;
-	}
-
-
-// More or less verbose copy from IPAddr.cc -- which uses reporter.
-threading::Value::addr_t AsciiFormatter::ParseAddr(const string &s) const
-	{
-		threading::Value::addr_t val;
-
-	if ( s.find(':') == std::string::npos ) // IPv4.
-		{
-		val.family = IPv4;
-
-		if ( inet_aton(s.c_str(), &(val.in.in4)) <= 0 )
-			{
-			thread->Error(thread->Fmt("Bad address: %s", s.c_str()));
-			memset(&val.in.in4.s_addr, 0, sizeof(val.in.in4.s_addr));
-			}
-		}
-
-	else
-		{
-		val.family = IPv6;
-		if ( inet_pton(AF_INET6, s.c_str(), val.in.in6.s6_addr) <=0 )
-			{
-			thread->Error(thread->Fmt("Bad address: %s", s.c_str()));
-			memset(val.in.in6.s6_addr, 0, sizeof(val.in.in6.s6_addr));
-			}
-		}
-
-	return val;
-	}
-
-string AsciiFormatter::Render(const threading::Value::subnet_t& subnet) const
-	{
-	char l[16];
-
-	if ( subnet.prefix.family == IPv4 )
-		modp_uitoa10(subnet.length - 96, l);
-	else
-		modp_uitoa10(subnet.length, l);
-
-	string s = Render(subnet.prefix) + "/" + l;
-
-	return s;
-	}
-
-string AsciiFormatter::Render(double d) const
-	{
-	char buf[256];
-	modp_dtoa(d, buf, 6);
-	return buf;
-	}
-
diff --git a/src/threading/formatters/Ascii.h b/src/threading/formatters/Ascii.h
new file mode 100644
index 0000000000..d4b8eec052
--- /dev/null
+++ b/src/threading/formatters/Ascii.h
@@ -0,0 +1,62 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef THREADING_FORMATTERS_ASCII_H
+#define THREADING_FORMATTERS_ASCII_H
+
+#include "../Formatter.h"
+
+namespace threading { namespace formatter {
+
+class Ascii : public Formatter {
+public:
+	/**
+	 * A struct to pass the necessary configuration values to the
+	 * Ascii module on initialization.
+	 */
+	struct SeparatorInfo
+		{
+		string separator;		// Separator between columns
+		string set_separator;	// Separator between set elements.
+		string unset_field;	// String marking an unset field.
+		string empty_field;	// String marking an empty (but set) field.
+
+		/**
+		 * Constructor that leaves separators etc unset to dummy
+		 * values. Useful if you use only methods that don't need any
+		 * of them, like StringToAddr, etc.
+		 */
+		SeparatorInfo();
+
+		/**
+		 * Constructor that defines all the configuration options.
+		 * Use if you need either ValToODesc or EntryToVal.
+		 */
+		SeparatorInfo(const string& separator, const string& set_separator, const string& unset_field, const string& empty_field);
+		};
+
+	/**
+	 * Constructor.
+	 *
+	 * @param t The thread that uses this class instance. The class uses
+	 * some of the thread's methods, e.g., for error reporting and
+	 * internal formatting.
+	 *
+	 * @param info SeparatorInfo structure defining the necessary
+	 * separators.
+	 */
+	Ascii(threading::MsgThread* t, const SeparatorInfo info);
+	virtual ~Ascii();
+
+	virtual bool Describe(ODesc* desc, threading::Value* val) const;
+	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name) const;
+	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+	                      threading::Value** vals) const;
+	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+
+private:
+	SeparatorInfo separators;
+};
+
+}}
+
+#endif /* THREADING_FORMATTERS_ASCII_H */
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
new file mode 100644
index 0000000000..c1e68b27bb
--- /dev/null
+++ b/src/threading/formatters/JSON.cc
@@ -0,0 +1,177 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sstream>
+#include <errno.h>
+
+#include "./JSON.h"
+
+using namespace threading::formatter;
+
+JSON::JSON(MsgThread* t) : Formatter(t)
+	{
+	}
+
+JSON::~JSON()
+	{
+	}
+
+bool JSON::Describe(ODesc* desc, int num_fields, const Field* const * fields,
+                    Value** vals) const
+	{
+	desc->AddRaw("{");
+	for ( int i = 0; i < num_fields; i++ )
+		{
+		if ( i > 0 &&
+		     desc->Bytes()[desc->Len()] != ',' && vals[i]->present )
+			{
+			desc->AddRaw(",");
+			}
+
+		if ( ! Describe(desc, vals[i], fields[i]->name) )
+			return false;
+		}
+	desc->AddRaw("}");
+	return true;
+	}
+
+bool JSON::Describe(ODesc* desc, Value* val, const string& name) const
+	{
+	if ( ! val->present )
+		return true;
+
+	desc->AddRaw("\"", 1);
+	desc->Add(name);
+	desc->AddRaw("\":", 2);
+
+	return Describe(desc, val);
+	}
+
+bool JSON::Describe(ODesc* desc, Value* val) const
+	{
+	if ( ! val->present )
+		return true;
+
+	switch ( val->type )
+		{
+		case TYPE_BOOL:
+			desc->AddRaw(val->val.int_val == 0 ? "false" : "true");
+			break;
+
+		case TYPE_INT:
+			desc->Add(val->val.int_val);
+			break;
+
+		case TYPE_COUNT:
+		case TYPE_COUNTER:
+			{
+			// JSON doesn't support unsigned 64bit ints.
+			if ( val->val.uint_val >= INT64_MAX )
+				{
+				thread->Error(thread->Fmt("count value too large for JSON: %" PRIu64, val->val.uint_val));
+				desc->AddRaw("null", 4);
+				}
+			else
+				desc->Add(val->val.uint_val);
+			break;
+			}
+
+		case TYPE_PORT:
+			desc->Add(val->val.port_val.port);
+			break;
+
+		case TYPE_SUBNET:
+			desc->AddRaw("\"", 1);
+			desc->Add(Render(val->val.subnet_val));
+			desc->AddRaw("\"", 1);
+			break;
+
+		case TYPE_ADDR:
+			desc->AddRaw("\"", 1);
+			desc->Add(Render(val->val.addr_val));
+			desc->AddRaw("\"", 1);
+			break;
+
+		case TYPE_DOUBLE:
+		case TYPE_INTERVAL:
+			desc->Add(val->val.double_val);
+			break;
+
+		case TYPE_TIME:
+			{
+			// ElasticSearch uses milliseconds for timestamps and json only
+			// supports signed ints (uints can be too large).
+			uint64_t ts = (uint64_t) (val->val.double_val * 1000);
+			if ( ts >= INT64_MAX )
+				{
+				thread->Error(thread->Fmt("time value too large for JSON: %" PRIu64, ts));
+				desc->AddRaw("null", 4);
+				}
+			else
+				desc->Add(ts);
+			break;
+			}
+
+		case TYPE_ENUM:
+		case TYPE_STRING:
+		case TYPE_FILE:
+		case TYPE_FUNC:
+			{
+			desc->AddRaw("\"", 1);
+			for ( int i = 0; i < val->val.string_val.length; ++i )
+				{
+				char c = val->val.string_val.data[i];
+				// 2byte Unicode escape special characters.
+				if ( c < 32 || c > 126 || c == '\n' || c == '"' || c == '\'' || c == '\\' || c == '&' )
+					{
+					static const char hex_chars[] = "0123456789abcdef";
+					desc->AddRaw("\\u00", 4);
+					desc->AddRaw(&hex_chars[(c & 0xf0) >> 4], 1);
+					desc->AddRaw(&hex_chars[c & 0x0f], 1);
+					}
+				else
+					desc->AddRaw(&c, 1);
+				}
+			desc->AddRaw("\"", 1);
+			break;
+			}
+
+		case TYPE_TABLE:
+			{
+			desc->AddRaw("[", 1);
+			for ( int j = 0; j < val->val.set_val.size; j++ )
+				{
+				if ( j > 0 )
+					desc->AddRaw(",", 1);
+				Describe(desc, val->val.set_val.vals[j]);
+				}
+			desc->AddRaw("]", 1);
+			break;
+			}
+
+		case TYPE_VECTOR:
+			{
+			desc->AddRaw("[", 1);
+			for ( int j = 0; j < val->val.vector_val.size; j++ )
+				{
+				if ( j > 0 )
+					desc->AddRaw(",", 1);
+				Describe(desc, val->val.vector_val.vals[j]);
+				}
+			desc->AddRaw("]", 1);
+			break;
+			}
+
+		default:
+			return false;
+		}
+
+	return true;
+	}
+
+threading::Value* JSON::ParseValue(string s, string name, TypeTag type, TypeTag subtype) const
+	{
+	thread->Error("JSON formatter does not support parsing yet.");
+	return NULL;
+	}
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
new file mode 100644
index 0000000000..7b4c4ea328
--- /dev/null
+++ b/src/threading/formatters/JSON.h
@@ -0,0 +1,30 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef THREADING_FORMATTERS_JSON_H
+#define THREADING_FORMATTERS_JSON_H
+
+#include "../Formatter.h"
+
+namespace threading { namespace formatter {
+
+/**
+  * A thread-safe class for converting values into a JSON representation
+  * and vice versa.
+  */
+class JSON : public Formatter {
+public:
+	JSON(threading::MsgThread* t);
+	virtual ~JSON();
+
+	virtual bool Describe(ODesc* desc, threading::Value* val) const;
+	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name) const;
+	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+	                      threading::Value** vals) const;
+	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+
+private:
+};
+
+}}
+
+#endif /* THREADING_FORMATTERS_JSON_H */
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
new file mode 100644
index 0000000000..7446047266
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
@@ -0,0 +1 @@
+{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":1394462315468,"iv":100.0,"s":"hurz","sc":[2,4,1,3],"ss":["CC","AA","BB"],"se":[],"vc":[10,20,30],"ve":[],"f":"SSH::foo\u000a{ \u000aif (0 < SSH::i) \u000a\u0009return (Foo);\u000aelse\u000a\u0009return (Bar);\u000a\u000a}"}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro
new file mode 100644
index 0000000000..35cf7f1e80
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro
@@ -0,0 +1,70 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+#
+# Testing all possible types.
+
+redef LogAscii::use_json = T;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH::LOG, [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+}
+

From f30d3e635e55717ce3edfb1b6d08637c043fd8c0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 10 Mar 2014 11:34:57 -0500
Subject: [PATCH 085/220] Fix non-deterministic logging of unmatched DNS msgs,
 addresses BIT-1153

Unmatched DNS messages may fail to be logged sometimes due to a type of
iterator invalidation.
---
 scripts/base/protocols/dns/main.bro | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 348c361311..fe371de2a8 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -181,10 +181,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 function log_unmatched_msgs(msgs: PendingMessages)
 	{
 	for ( trans_id in msgs )
-		{
 		log_unmatched_msgs_queue(msgs[trans_id]);
-		delete msgs[trans_id];
-		}
+
+	msgs = PendingMessages();
 	}
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)

From c9aaf9e753f48008b258eff1ac6a60046a4d274c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 10 Mar 2014 14:22:35 -0400
Subject: [PATCH 086/220] Added an option to the JSON formatter to use ISO 8601
 for timestamps.

 - It's not *exactly* ISO 8601 which doesn't seem to support
   subseconds, but subseconds are very important to us and
   most things that support ISO8601 seem to also support subseconds
   in the way I'm implemented it.
---
 .../base/frameworks/logging/writers/ascii.bro |  6 +++
 src/logging.bif                               |  1 +
 src/logging/writers/Ascii.cc                  |  3 +-
 src/logging/writers/Ascii.h                   |  1 +
 src/logging/writers/ElasticSearch.cc          |  2 +-
 src/threading/formatters/JSON.cc              | 37 +++++++++++++++----
 src/threading/formatters/JSON.h               |  3 +-
 .../ssh.log                                   |  2 +
 .../ssh.log                                   |  2 +-
 .../logging/ascii-json-iso-timestamps.bro     | 31 ++++++++++++++++
 .../base/frameworks/logging/ascii-json.bro    |  2 +-
 11 files changed, 77 insertions(+), 13 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log
 create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index ab86e4641d..68219cb964 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -24,6 +24,12 @@ export {
 	## This is also available as a per-filter $config option.
 	const use_json = F &redef;
 
+	## By default, the JSON formatter will use double values for timestamps
+	## which represent the number of seconds from the UNIX epoch.  By setting
+	## this to 'T', it will use the 8601 format.  This is also available as 
+	## a per-filter $config option.
+	const json_iso_timestamps = F &redef;
+
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
 	## the time when the file was opened and closed (the latter at the end).
diff --git a/src/logging.bif b/src/logging.bif
index 2e8a1eb3a4..f12aa50c1c 100644
--- a/src/logging.bif
+++ b/src/logging.bif
@@ -78,6 +78,7 @@ const set_separator: string;
 const empty_field: string;
 const unset_field: string;
 const use_json: bool;
+const json_iso_timestamps: bool;
 
 # Options for the DataSeries writer.
 
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index bd5d175d3a..976c083eda 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -59,6 +59,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
+	json_iso_timestamps = BifConst::LogAscii::json_iso_timestamps;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -147,7 +148,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	if ( use_json )
 		{
 		// Write out JSON formatted logs.
-		formatter = new threading::formatter::JSON(this);
+		formatter = new threading::formatter::JSON(this, json_iso_timestamps);
 		// Using JSON implicitly turns off the header meta fields.
 		include_meta = false;
 		}
diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h
index 08af465ff4..d131a289b4 100644
--- a/src/logging/writers/Ascii.h
+++ b/src/logging/writers/Ascii.h
@@ -48,6 +48,7 @@ private:
 	bool include_meta;
 	bool tsv;
 	bool use_json;
+	bool json_iso_timestamps;
 
 	string separator;
 	string set_separator;
diff --git a/src/logging/writers/ElasticSearch.cc b/src/logging/writers/ElasticSearch.cc
index cec5bac80e..0a18e624ea 100644
--- a/src/logging/writers/ElasticSearch.cc
+++ b/src/logging/writers/ElasticSearch.cc
@@ -52,7 +52,7 @@ ElasticSearch::ElasticSearch(WriterFrontend* frontend) : WriterBackend(frontend)
 
 	curl_handle = HTTPSetup();
 
-	json = new threading::formatter::JSON(this);
+	json = new threading::formatter::JSON(this, false);
 }
 
 ElasticSearch::~ElasticSearch()
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index c1e68b27bb..57e9d58527 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -4,13 +4,15 @@
 
 #include <sstream>
 #include <errno.h>
+#include <math.h>
 
 #include "./JSON.h"
 
 using namespace threading::formatter;
 
-JSON::JSON(MsgThread* t) : Formatter(t)
+JSON::JSON(MsgThread* t, bool json_iso_timestamps) : Formatter(t)
 	{
+	iso_timestamps = json_iso_timestamps;
 	}
 
 JSON::~JSON()
@@ -100,16 +102,35 @@ bool JSON::Describe(ODesc* desc, Value* val) const
 
 		case TYPE_TIME:
 			{
-			// ElasticSearch uses milliseconds for timestamps and json only
-			// supports signed ints (uints can be too large).
-			uint64_t ts = (uint64_t) (val->val.double_val * 1000);
-			if ( ts >= INT64_MAX )
+			if ( iso_timestamps )
 				{
-				thread->Error(thread->Fmt("time value too large for JSON: %" PRIu64, ts));
-				desc->AddRaw("null", 4);
+				char buffer[40];
+				time_t t = time_t(val->val.double_val);
+				if ( strftime(buffer, sizeof(buffer), "%Y-%m-%dT%H:%M:%S", gmtime(&t)) == 0 )
+					thread->Error(thread->Fmt("strftime error for JSON: %" PRIu64));
+				else
+					{
+					double integ;
+					double frac = modf(val->val.double_val, &integ);
+					snprintf(buffer, sizeof(buffer), "%s.%06.0fZ", buffer, frac*1000000);
+					desc->AddRaw("\"", 1);
+					desc->Add(buffer);
+					desc->AddRaw("\"", 1);
+					}
 				}
 			else
-				desc->Add(ts);
+				{
+				// ElasticSearch uses milliseconds for timestamps and json only
+				// supports signed ints (uints can be too large).
+				uint64_t ts = (uint64_t) (val->val.double_val * 1000);
+				if ( ts >= INT64_MAX )
+					{
+					thread->Error(thread->Fmt("time value too large for JSON: %" PRIu64, ts));
+					desc->AddRaw("null", 4);
+					}
+				else
+					desc->Add(ts);
+				}
 			break;
 			}
 
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index 7b4c4ea328..b15da075cd 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -13,7 +13,7 @@ namespace threading { namespace formatter {
   */
 class JSON : public Formatter {
 public:
-	JSON(threading::MsgThread* t);
+	JSON(threading::MsgThread* t, bool json_iso_timestamps);
 	virtual ~JSON();
 
 	virtual bool Describe(ODesc* desc, threading::Value* val) const;
@@ -23,6 +23,7 @@ public:
 	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
 
 private:
+	bool iso_timestamps;
 };
 
 }}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log
new file mode 100644
index 0000000000..5673a0605a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-iso-timestamps/ssh.log
@@ -0,0 +1,2 @@
+{"t":"2008-07-09T16:13:30.005432Z"}
+{"t":"1986-12-01T01:01:01.900000Z"}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
index 7446047266..9e4e74c018 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
@@ -1 +1 @@
-{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":1394462315468,"iv":100.0,"s":"hurz","sc":[2,4,1,3],"ss":["CC","AA","BB"],"se":[],"vc":[10,20,30],"ve":[],"f":"SSH::foo\u000a{ \u000aif (0 < SSH::i) \u000a\u0009return (Foo);\u000aelse\u000a\u0009return (Bar);\u000a\u000a}"}
+{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":1215620010543,"iv":100.0,"s":"hurz","sc":[2,4,1,3],"ss":["CC","AA","BB"],"se":[],"vc":[10,20,30],"ve":[],"f":"SSH::foo\u000a{ \u000aif (0 < SSH::i) \u000a\u0009return (Foo);\u000aelse\u000a\u0009return (Bar);\u000a\u000a}"}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro
new file mode 100644
index 0000000000..f9541edda7
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro
@@ -0,0 +1,31 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+#
+# Testing all possible types.
+
+redef LogAscii::use_json = T;
+redef LogAscii::json_iso_timestamps = T;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	Log::write(SSH::LOG, [
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.00543210 secs)
+		]);
+	Log::write(SSH::LOG, [
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "1986-12-01T01:01:01Z") + 0.90 secs)
+		]);
+
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro
index 35cf7f1e80..2b6055930f 100644
--- a/testing/btest/scripts/base/frameworks/logging/ascii-json.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-json.bro
@@ -56,7 +56,7 @@ event bro_init()
 		$sn=10.0.0.1/24,
 		$a=1.2.3.4,
 		$d=3.14,
-		$t=network_time(),
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.543210 secs),
 		$iv=100secs,
 		$s="hurz",
 		$sc=set(1,2,3,4),

From ea432102a8e913e2041df7e18f27caf408c6713e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 10 Mar 2014 14:36:42 -0500
Subject: [PATCH 087/220] Teach configure script --enable-jemalloc,
 --with-jemalloc.

Addresses BIT-1128.
---
 CMakeLists.txt | 7 +++++++
 configure      | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index f773381ae8..71f6a6a8fe 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -91,6 +91,10 @@ if (NOT BinPAC_ROOT_DIR AND
 endif ()
 FindRequiredPackage(BinPAC)
 
+if (ENABLE_JEMALLOC)
+    find_package(JeMalloc)
+endif ()
+
 if (MISSING_PREREQS)
     foreach (prereq ${MISSING_PREREQ_DESCS})
         message(SEND_ERROR ${prereq})
@@ -105,6 +109,7 @@ include_directories(BEFORE
                     ${BinPAC_INCLUDE_DIR}
                     ${LIBMAGIC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
+                    ${JEMALLOC_INCLUDE_DIR}
 )
 
 # Optional Dependencies
@@ -184,6 +189,7 @@ set(brodeps
     ${BIND_LIBRARY}
     ${LIBMAGIC_LIBRARY}
     ${ZLIB_LIBRARY}
+    ${JEMALLOC_LIBRARIES}
     ${OPTLIBS}
 )
 
@@ -268,6 +274,7 @@ message(
     "\ngperftools found:  ${HAVE_PERFTOOLS}"
     "\n        tcmalloc:  ${USE_PERFTOOLS_TCMALLOC}"
     "\n       debugging:  ${USE_PERFTOOLS_DEBUG}"
+    "\njemalloc:          ${ENABLE_JEMALLOC}"
     "\ncURL:              ${USE_CURL}"
     "\n"
     "\nDataSeries:        ${USE_DATASERIES}"
diff --git a/configure b/configure
index ba9bf58301..5690712c3a 100755
--- a/configure
+++ b/configure
@@ -32,6 +32,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --enable-perftools     force use of Google perftools on non-Linux systems
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
+    --enable-jemalloc      link against jemalloc
     --enable-ruby          build ruby bindings for broccoli (deprecated)
     --disable-broccoli     don't build or install the Broccoli library
     --disable-broctl       don't install Broctl
@@ -54,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
     --with-perftools=PATH  path to Google Perftools install root
+    --with-jemalloc=PATH   path to jemalloc install root
     --with-python=PATH     path to Python interpreter
     --with-python-lib=PATH path to libpython
     --with-python-inc=PATH path to Python headers
@@ -105,6 +107,7 @@ append_cache_entry BRO_ETC_INSTALL_DIR  PATH   $prefix/etc
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
+append_cache_entry ENABLE_JEMALLOC      BOOL false
 append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
@@ -160,6 +163,9 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_PERFTOOLS     BOOL   true
             append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL   true
             ;;
+        --enable-jemalloc)
+            append_cache_entry ENABLE_JEMALLOC     BOOL   true
+            ;;
         --disable-broccoli)
             append_cache_entry INSTALL_BROCCOLI     BOOL   false
             ;;
@@ -214,6 +220,9 @@ while [ $# -ne 0 ]; do
         --with-perftools=*)
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;
+        --with-jemalloc=*)
+            append_cache_entry JeMalloc_ROOT_DIR    PATH    $optarg
+            ;;
         --with-python=*)
             append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg
             ;;

From 01dde0b19fb04b51d8dd640aca28b3b164915064 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 10 Mar 2014 14:48:13 -0500
Subject: [PATCH 088/220] Fix --with-jemalloc and make it imply
 --enable-jemalloc.

---
 configure | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index 5690712c3a..5af2f25c8f 100755
--- a/configure
+++ b/configure
@@ -221,7 +221,8 @@ while [ $# -ne 0 ]; do
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;
         --with-jemalloc=*)
-            append_cache_entry JeMalloc_ROOT_DIR    PATH    $optarg
+            append_cache_entry JEMALLOC_ROOT_DIR    PATH    $optarg
+            append_cache_entry ENABLE_JEMALLOC      BOOL    true
             ;;
         --with-python=*)
             append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg

From da338c8ffebf154cc57885d57039ced2f683defd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 10 Mar 2014 16:51:04 -0500
Subject: [PATCH 089/220] Teach async DNS lookup builtin-functions about
 BRO_DNS_FAKE.

And enable fake DNS mode for test suites.

Addresses BIT-1134.
---
 src/DNS_Mgr.cc                           | 76 +++++++++++++++++++-----
 src/DNS_Mgr.h                            | 13 ++--
 testing/btest/Baseline/core.fake_dns/out | 10 ++++
 testing/btest/btest.cfg                  |  1 +
 testing/btest/core/fake_dns.bro          | 41 +++++++++++++
 testing/btest/language/timeout.bro       |  2 +-
 testing/external/subdir-btest.cfg        |  1 +
 7 files changed, 123 insertions(+), 21 deletions(-)
 create mode 100644 testing/btest/Baseline/core.fake_dns/out
 create mode 100644 testing/btest/core/fake_dns.bro

diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 17409a930b..636a03e5a0 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -443,6 +443,20 @@ bool DNS_Mgr::Init()
 	return true;
 	}
 
+TableVal* DNS_Mgr::BuildFakeAddrResult()
+	{
+	ListVal* hv = new ListVal(TYPE_ADDR);
+	hv->Append(new AddrVal(++dns_fake_count));
+	return hv->ConvertToSet();
+	}
+
+const char* DNS_Mgr::BuildFakeNameResult()
+	{
+	static char tmp[32];
+	snprintf(tmp, sizeof(tmp), "fake_result_%"PRIu32, ++dns_fake_count);
+	return tmp;
+	}
+
 TableVal* DNS_Mgr::LookupHost(const char* name)
 	{
 	if ( ! nb_dns )
@@ -452,11 +466,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 		Init();
 
 	if ( mode == DNS_FAKE )
-		{
-		ListVal* hv = new ListVal(TYPE_ADDR);
-		hv->Append(new AddrVal(uint32(++dns_fake_count)));
-		return hv->ConvertToSet();
-		}
+		return BuildFakeAddrResult();
 
 	if ( mode != DNS_PRIME )
 		{
@@ -960,7 +970,7 @@ const char* DNS_Mgr::LookupAddrInCache(const IPAddr& addr)
 	return d->names ? d->names[0] : "<\?\?\?>";
 	}
 
-TableVal* DNS_Mgr::LookupNameInCache(string name)
+TableVal* DNS_Mgr::LookupNameInCache(const string& name)
 	{
 	HostMap::iterator it = host_mappings.find(name);
 	if ( it == host_mappings.end() )
@@ -990,7 +1000,7 @@ TableVal* DNS_Mgr::LookupNameInCache(string name)
 	return tv6;
 	}
 
-const char* DNS_Mgr::LookupTextInCache(string name)
+const char* DNS_Mgr::LookupTextInCache(const string& name)
 	{
 	TextMap::iterator it = text_mappings.find(name);
 	if ( it == text_mappings.end() )
@@ -1010,17 +1020,37 @@ const char* DNS_Mgr::LookupTextInCache(string name)
 	return d->names ? d->names[0] : "<\?\?\?>";
 	}
 
+static void resolve_lookup_cb(DNS_Mgr::LookupCallback* callback,
+                              TableVal* result)
+	{
+	callback->Resolved(result);
+	Unref(result);
+	delete callback;
+	}
+
+static void resolve_lookup_cb(DNS_Mgr::LookupCallback* callback,
+                              const char* result)
+	{
+	callback->Resolved(result);
+	delete callback;
+	}
+
 void DNS_Mgr::AsyncLookupAddr(const IPAddr& host, LookupCallback* callback)
 	{
 	if ( ! did_init )
 		Init();
 
+	if ( mode == DNS_FAKE )
+		{
+		resolve_lookup_cb(callback, BuildFakeNameResult());
+		return;
+		}
+
 	// Do we already know the answer?
 	const char* name = LookupAddrInCache(host);
 	if ( name )
 		{
-		callback->Resolved(name);
-		delete callback;
+		resolve_lookup_cb(callback, name);
 		return;
 		}
 
@@ -1044,18 +1074,22 @@ void DNS_Mgr::AsyncLookupAddr(const IPAddr& host, LookupCallback* callback)
 	IssueAsyncRequests();
 	}
 
-void DNS_Mgr::AsyncLookupName(string name, LookupCallback* callback)
+void DNS_Mgr::AsyncLookupName(const string& name, LookupCallback* callback)
 	{
 	if ( ! did_init )
 		Init();
 
+	if ( mode == DNS_FAKE )
+		{
+		resolve_lookup_cb(callback, BuildFakeAddrResult());
+		return;
+		}
+
 	// Do we already know the answer?
 	TableVal* addrs = LookupNameInCache(name);
 	if ( addrs )
 		{
-		callback->Resolved(addrs);
-		Unref(addrs);
-		delete callback;
+		resolve_lookup_cb(callback, addrs);
 		return;
 		}
 
@@ -1079,13 +1113,25 @@ void DNS_Mgr::AsyncLookupName(string name, LookupCallback* callback)
 	IssueAsyncRequests();
 	}
 
-void DNS_Mgr::AsyncLookupNameText(string name, LookupCallback* callback)
+void DNS_Mgr::AsyncLookupNameText(const string& name, LookupCallback* callback)
 	{
 	if ( ! did_init )
 		Init();
 
+	if ( mode == DNS_FAKE )
+		{
+		resolve_lookup_cb(callback, BuildFakeNameResult());
+		return;
+		}
+
 	// Do we already know the answer?
-	TableVal* addrs;
+	const char* txt = LookupTextInCache(name);
+
+	if ( txt )
+		{
+		resolve_lookup_cb(callback, txt);
+		return;
+		}
 
 	AsyncRequest* req = 0;
 
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index bfcc70a5c2..ccace3303e 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -62,8 +62,8 @@ public:
 	int Save();
 
 	const char* LookupAddrInCache(const IPAddr& addr);
-	TableVal* LookupNameInCache(string name);
-	const char* LookupTextInCache(string name);
+	TableVal* LookupNameInCache(const string& name);
+	const char* LookupTextInCache(const string& name);
 
 	// Support for async lookups.
 	class LookupCallback {
@@ -77,8 +77,8 @@ public:
 	};
 
 	void AsyncLookupAddr(const IPAddr& host, LookupCallback* callback);
-	void AsyncLookupName(string name, LookupCallback* callback);
-	void AsyncLookupNameText(string name, LookupCallback* callback);
+	void AsyncLookupName(const string& name, LookupCallback* callback);
+	void AsyncLookupNameText(const string& name, LookupCallback* callback);
 
 	struct Stats {
 		unsigned long requests;	// These count only async requests.
@@ -102,6 +102,9 @@ protected:
 
 	Val* BuildMappingVal(DNS_Mapping* dm);
 
+	TableVal* BuildFakeAddrResult();
+	const char* BuildFakeNameResult();
+
 	void AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r);
 	void CompareMappings(DNS_Mapping* prev_dm, DNS_Mapping* new_dm);
 	ListVal* AddrListDelta(ListVal* al1, ListVal* al2);
@@ -163,7 +166,7 @@ protected:
 
 	RecordType* dm_rec;
 
-	int dns_fake_count;	// used to generate unique fake replies
+	uint32 dns_fake_count;	// used to generate unique fake replies
 
 	typedef list<LookupCallback*> CallbackList;
 
diff --git a/testing/btest/Baseline/core.fake_dns/out b/testing/btest/Baseline/core.fake_dns/out
new file mode 100644
index 0000000000..5e1e72301d
--- /dev/null
+++ b/testing/btest/Baseline/core.fake_dns/out
@@ -0,0 +1,10 @@
+{
+3.0.0.0,
+2.0.0.0,
+1.0.0.0
+}
+lookup_hostname_txt, fake_result_4
+lookup_hostname, {
+5.0.0.0
+}
+lookup_addr, fake_result_6
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 39b64f7c09..0130cb6e1d 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -24,3 +24,4 @@ TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier
 TMPDIR=%(testbase)s/.tmp
 BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
+BRO_DNS_FAKE=1
diff --git a/testing/btest/core/fake_dns.bro b/testing/btest/core/fake_dns.bro
new file mode 100644
index 0000000000..f4d8c46777
--- /dev/null
+++ b/testing/btest/core/fake_dns.bro
@@ -0,0 +1,41 @@
+# @TEST-EXEC: BRO_DNS_FAKE=1 bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+global addrs: set[addr] = {
+	google.com,
+	bing.com,
+	yahoo.com
+};
+
+global c: count = 0;
+
+function check_terminate()
+	{
+	++c;
+
+	if ( c > 2 )
+		terminate();
+	}
+
+event bro_init()
+	{
+	print addrs;
+
+	when ( local result = lookup_hostname_txt("bro.wp.dg.cx") )
+		{
+		print "lookup_hostname_txt", result;
+		check_terminate();
+		}
+	when ( local result2 = lookup_hostname("example.com") )
+		{
+		print "lookup_hostname", result2;
+		check_terminate();
+		}
+	when ( local result3 = lookup_addr(1.2.3.4) )
+		{
+		print "lookup_addr", result3;
+		check_terminate();
+		}
+	}
diff --git a/testing/btest/language/timeout.bro b/testing/btest/language/timeout.bro
index b16ddd6e7c..632ab18b5f 100644
--- a/testing/btest/language/timeout.bro
+++ b/testing/btest/language/timeout.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: unset BRO_DNS_FAKE && bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index fb5873418a..f68849314e 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -19,3 +19,4 @@ SCRIPTS=%(testbase)s/../scripts
 DIST=%(testbase)s/../../..
 BUILD=%(testbase)s/../../../build
 BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_DNS_FAKE=1

From d3f88ba9d19814076b02bde7ea81e70f4ef4f7c9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 11 Mar 2014 13:18:14 -0500
Subject: [PATCH 090/220] Improve performance of MHR script, addresses
 BIT-1139.

The MHR script involves a "when" statement which can be expensive due to
the way it clones frames/vals.  In this case, the fa_file record is
expensive to clone, but this change works around that by unrolling only
the necessary fields from it that are needed to populate a Notice::Info
record.  A drawback to this is that the full fa_file or connection
records aren't available in the Notice::Info record when evaluating
Notice::policy hooks for MHR hit notices (though they can possibly be
recovered by using e.g. the lookup_connection() builtin_function).
---
 scripts/base/frameworks/notice/main.bro       | 84 +++++++++++++++----
 .../policy/frameworks/files/detect-MHR.bro    | 39 +++++----
 2 files changed, 93 insertions(+), 30 deletions(-)

diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index bbd4643b3d..8bf42a33e0 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -206,6 +206,38 @@ export {
 	## The maximum amount of time a plugin can delay email from being sent.
 	const max_email_delay     = 15secs &redef;
 
+	## Contains a portion of :bro:see:`fa_file` that's also contained in
+	## :bro:see:`Notice::Info`.
+	type FileInfo: record {
+		fuid: string;            ##< File UID.
+		desc: string;            ##< File description from e.g.
+		                         ##< :bro:see:`Files::describe`.
+		mime: string  &optional; ##< Strongest mime type match for file.
+		cid:  conn_id &optional; ##< Connection tuple over which file is sent.
+		cuid: string  &optional; ##< Connection UID over which file is sent.
+	};
+
+	## Creates a record containing a subset of a full :bro:see:`fa_file` record.
+	##
+	## f: record containing metadata about a file.
+	##
+	## Returns: record containing a subset of fields copied from *f*.
+	global create_file_info: function(f: fa_file): Notice::FileInfo;
+
+	## Populates file-related fields in a notice info record.
+	##
+	## f: record containing metadata about a file.
+	##
+	## n: a notice record that needs file-related fields populated.
+	global populate_file_info: function(f: fa_file, n: Notice::Info);
+
+	## Populates file-related fields in a notice info record.
+	##
+	## fi: record containing metadata about a file.
+	##
+	## n: a notice record that needs file-related fields populated.
+	global populate_file_info2: function(fi: Notice::FileInfo, n: Notice::Info);
+
 	## A log postprocessing function that implements emailing the contents
 	## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
 	## The rotated log is removed upon being sent.
@@ -493,6 +525,42 @@ function execute_with_notice(cmd: string, n: Notice::Info)
 	#system_env(cmd, tags);
 	}
 
+function create_file_info(f: fa_file): Notice::FileInfo
+	{
+	local fi: Notice::FileInfo = Notice::FileInfo($fuid = f$id,
+	                                              $desc = Files::describe(f));
+
+	if ( f?$mime_type )
+		fi$mime = f$mime_type;
+
+	if ( f?$conns && |f$conns| == 1 )
+		for ( id in f$conns )
+			{
+			fi$cid = id;
+			fi$cuid = f$conns[id]$uid;
+			}
+
+	return fi;
+	}
+
+function populate_file_info(f: fa_file, n: Notice::Info)
+	{
+	populate_file_info2(create_file_info(f), n);
+	}
+
+function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
+	{
+	if ( ! n?$fuid )
+		n$fuid = fi$fuid;
+
+	if ( ! n?$file_mime_type && fi?$mime )
+		n$file_mime_type = fi$mime;
+
+	n$file_desc = fi$desc;
+	n$id = fi$cid;
+	n$uid = fi$cuid;
+	}
+
 # This is run synchronously as a function before all of the other
 # notice related functions and events.  It also modifies the
 # :bro:type:`Notice::Info` record in place.
@@ -503,21 +571,7 @@ function apply_policy(n: Notice::Info)
 		n$ts = network_time();
 
 	if ( n?$f )
-		{
-		if ( ! n?$fuid )
-			n$fuid = n$f$id;
-
-		if ( ! n?$file_mime_type && n$f?$mime_type )
-			n$file_mime_type = n$f$mime_type;
-
-		n$file_desc = Files::describe(n$f);
-
-		if ( n$f?$conns && |n$f$conns| == 1 )
-			{
-			for ( id in n$f$conns )
-				n$conn = n$f$conns[id];
-			}
-		}
+		populate_file_info(n$f, n);
 
 	if ( n?$conn )
 		{
diff --git a/scripts/policy/frameworks/files/detect-MHR.bro b/scripts/policy/frameworks/files/detect-MHR.bro
index 1a26b9be32..ac3a53de3a 100644
--- a/scripts/policy/frameworks/files/detect-MHR.bro
+++ b/scripts/policy/frameworks/files/detect-MHR.bro
@@ -35,28 +35,37 @@ export {
 	const notice_threshold = 10 &redef;
 }
 
-event file_hash(f: fa_file, kind: string, hash: string)
+function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
-	if ( kind=="sha1" && match_file_types in f$mime_type )
+	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+
+	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
-		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
-		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+		# Data is returned as "<dateFirstDetected> <detectionRate>"
+		local MHR_answer = split1(MHR_result, / /);
+
+		if ( |MHR_answer| == 2 )
 			{
-			# Data is returned as "<dateFirstDetected> <detectionRate>"
-			local MHR_answer = split1(MHR_result, / /);
-			if ( |MHR_answer| == 2 )
+			local mhr_detect_rate = to_count(MHR_answer[2]);
+
+			if ( mhr_detect_rate >= notice_threshold )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
-				local mhr_detect_rate = to_count(MHR_answer[2]);
-
 				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
-				if ( mhr_detect_rate >= notice_threshold )
-					{
-					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
-					local virustotal_url = fmt(match_sub_url, hash);
-					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
-					}
+				local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+				local virustotal_url = fmt(match_sub_url, hash);
+				# We don't have the full fa_file record here in order to
+				# avoid the "when" statement cloning it (expensive!).
+				local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
+				Notice::populate_file_info2(fi, n);
+				NOTICE(n);
 				}
 			}
 		}
 	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind=="sha1" && match_file_types in f$mime_type )
+		do_mhr_lookup(hash, Notice::create_file_info(f));
+	}

From 066473b1f1bc71fc500a0a0ec447e1603732c53a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 11 Mar 2014 16:56:17 -0500
Subject: [PATCH 091/220] Improve analysis of TCP SYN/SYN-ACK reversal
 situations.

- Since it's just the handshake packets out of order, they're no
  longer treated as partial connections, which some protocol analyzers
  immediately refuse to look at.

- The TCP_Reassembler "is_orig" state failed to change, which led to
  protocol analyzers sometimes using the wrong value for that.

- Add a unit test which exercises the Connection::FlipRoles() code
  path (i.e. the SYN/SYN-ACK reversal situation).

Addresses BIT-1148.
---
 src/analyzer/protocol/pia/PIA.cc              |   4 +-
 src/analyzer/protocol/tcp/TCP.cc              |   7 ++--
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  29 +++++++------
 src/analyzer/protocol/tcp/TCP_Reassembler.h   |   6 +--
 .../Baseline/core.connection_flip_roles/out   |   4 ++
 .../btest/Traces/tcp/handshake-reorder.trace  | Bin 0 -> 6335 bytes
 testing/btest/core/connection_flip_roles.bro  |  39 ++++++++++++++++++
 7 files changed, 65 insertions(+), 24 deletions(-)
 create mode 100644 testing/btest/Baseline/core.connection_flip_roles/out
 create mode 100644 testing/btest/Traces/tcp/handshake-reorder.trace
 create mode 100644 testing/btest/core/connection_flip_roles.bro

diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index ab2d1833e8..388d1d501d 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -331,11 +331,11 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 
 	tcp::TCP_Reassembler* reass_orig =
 		new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct,
-					true, tcp->Orig());
+					tcp->Orig());
 
 	tcp::TCP_Reassembler* reass_resp =
 		new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct,
-					false, tcp->Resp());
+					tcp->Resp());
 
 	int orig_seq = 0;
 	int resp_seq = 0;
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 57c4ebef18..c422d01f32 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -95,9 +95,9 @@ void TCP_Analyzer::Done()
 void TCP_Analyzer::EnableReassembly()
 	{
 	SetReassembler(new TCP_Reassembler(this, this,
-					TCP_Reassembler::Forward, true, orig),
-		       new TCP_Reassembler(this, this,
-					TCP_Reassembler::Forward, false, resp));
+	                                   TCP_Reassembler::Forward, orig),
+	               new TCP_Reassembler(this, this,
+	                                   TCP_Reassembler::Forward, resp));
 
 	reassembling = 1;
 
@@ -590,6 +590,7 @@ void TCP_Analyzer::UpdateInactiveState(double t,
 				// per the discussion in IsReuse.
 				// Flip the endpoints and establish
 				// the connection.
+				is_partial = 0;
 				Conn()->FlipRoles();
 				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
 				}
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 49292a04a5..da8dd857fd 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -32,13 +32,12 @@ static uint64 last_gap_bytes = 0;
 TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 				TCP_Analyzer* arg_tcp_analyzer,
 				TCP_Reassembler::Type arg_type,
-				bool arg_is_orig, TCP_Endpoint* arg_endp)
+				TCP_Endpoint* arg_endp)
 	: Reassembler(1, REASSEM_TCP)
 	{
 	dst_analyzer = arg_dst_analyzer;
 	tcp_analyzer = arg_tcp_analyzer;
 	type = arg_type;
-	is_orig = arg_is_orig;
 	endp = arg_endp;
 	had_gap = false;
 	record_contents_file = 0;
@@ -165,10 +164,10 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: is_orig=%d up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%d, last_reassm=%d, "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
-		          network_time, is_orig, up_to_seq, last_reassem_seq,
+		          network_time, IsOrig(), up_to_seq, last_reassem_seq,
 		          endpoint->FIN_cnt, endpoint->RST_cnt,
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
@@ -196,9 +195,9 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: is_orig=%d, seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%d, len=%d, "
 					  "skip_deliveries=%d\n",
-					  network_time, is_orig, last_reassem_seq,
+					  network_time, IsOrig(), last_reassem_seq,
 					  seq_delta(up_to_seq, last_reassem_seq),
 					  skip_deliveries);
 			}
@@ -229,7 +228,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 				{
 				val_list* vl = new val_list;
 				vl->append(dst_analyzer->BuildConnVal());
-				vl->append(new Val(is_orig, TYPE_BOOL));
+				vl->append(new Val(IsOrig(), TYPE_BOOL));
 				vl->append(new Val(seq, TYPE_COUNT));
 				vl->append(new Val(len, TYPE_COUNT));
 
@@ -238,11 +237,11 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 
 			if ( type == Direct )
 				dst_analyzer->NextUndelivered(last_reassem_seq,
-								len, is_orig);
+								len, IsOrig());
 			else
 				{
 				dst_analyzer->ForwardUndelivered(last_reassem_seq,
-								len, is_orig);
+								len, IsOrig());
 				}
 			}
 
@@ -289,7 +288,7 @@ void TCP_Reassembler::MatchUndelivered(int up_to_seq)
 	for ( b = blocks; b && seq_delta(b->upper, last_reassem_seq) <= 0;
 	      b = b->next )
 	      tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b->block, b->Size(),
-						false, false, is_orig, false);
+						false, false, IsOrig(), false);
 
 	ASSERT(b);
 	}
@@ -410,7 +409,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d is_orig=%d\n", network_time,  n, is_orig);
+		DEBUG_MSG("%.6f TCP contents overlap: %d IsOrig()=%d\n", network_time,  n, IsOrig());
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -442,9 +441,9 @@ bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
 void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
 	{
 	if ( type == Direct )
-		dst_analyzer->NextStream(len, data, is_orig);
+		dst_analyzer->NextStream(len, data, IsOrig());
 	else
-		dst_analyzer->ForwardStream(len, data, is_orig);
+		dst_analyzer->ForwardStream(len, data, IsOrig());
 	}
 
 int TCP_Reassembler::DataSent(double t, int seq, int len,
@@ -455,8 +454,8 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: is_orig=%d seq=%d upper=%d ack=%d\n",
-		          network_time, is_orig, seq, upper_seq, ack);
+		DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%d upper=%d ack=%d\n",
+		          network_time, IsOrig(), seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index 8bb80a0570..e3dcf82a1b 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -28,9 +28,8 @@ public:
 		Forward,	// forward to destination analyzer's children
 	};
 
-	TCP_Reassembler(Analyzer* arg_dst_analyzer,
-			TCP_Analyzer* arg_tcp_analyzer, Type arg_type,
-			bool arg_is_orig, TCP_Endpoint* arg_endp);
+	TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer,
+	                Type arg_type, TCP_Endpoint* arg_endp);
 
 	virtual ~TCP_Reassembler();
 
@@ -135,7 +134,6 @@ private:
 	TCP_Analyzer* tcp_analyzer;
 
 	Type type;
-	bool is_orig;
 };
 
 } } // namespace analyzer::* 
diff --git a/testing/btest/Baseline/core.connection_flip_roles/out b/testing/btest/Baseline/core.connection_flip_roles/out
new file mode 100644
index 0000000000..2f596620bf
--- /dev/null
+++ b/testing/btest/Baseline/core.connection_flip_roles/out
@@ -0,0 +1,4 @@
+schedule_analyzer, current conn_id, [orig_h=192.150.187.43, orig_p=80/tcp, resp_h=141.142.228.5, resp_p=59856/tcp]
+http_request, 1.1, GET, /download/CHANGES.bro-aux.txt
+http_reply, 1.1, 200, OK
+connection_state_remove, [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
diff --git a/testing/btest/Traces/tcp/handshake-reorder.trace b/testing/btest/Traces/tcp/handshake-reorder.trace
new file mode 100644
index 0000000000000000000000000000000000000000..00581422cb25bd08a4451a93fc4bc98416438e7f
GIT binary patch
literal 6335
zcma)AU2Ggz72dc>TNb&b2%$ceTel^S>)AiA|0YeFjU78lZO7Q_R=m($&)nU;_3X@W
zXU6M|km^Sep+y2J!ApN25)Y_Bh&TFBsYR-wq<`=b0jeq?RYgLT`hdg(gzwy$S?`|%
zkycsTGv7V;JKy=vx%ZE6{OaYA%+XBx@7AqM<_Lax^>g!ITdCfYxrp!ddF!>eUU>hd
z%<(^e`~6Sv&Ya6+9?fLVWb$`@qxSj>zj@?)&;9LKX8n_QuU)_K*nb`<oqFkubKlRc
zXEGy4kNx`S$lclecg}wO%NPI3j@)s_U4*>8bx&pusPu_3V|<N#=ELXCWX{~#{D4pi
z{gZby>p(T>;a`s2x^?RH7#V0sj~ux>OUU%Mqa$(L3g~C?Gkpfo%WuC(==(SN&`%-u
z$M=u3N1{_;AV#fG+!XI!Pu`RH9l+=_fcV<QpAh26%234n*ds^xdl8q<RaxHlTCU@9
zJHK$gvbKC~Gq<fggGYP0a4%%%tJU><F;^VTZUsUamAY_4lRZ@zA^o<@#%-=z(k+&9
zrCj0UXtrWm!p9R6`H9i&c`v|Mz~wwuAI&a!t}CoidalWy5W+Vqj@%Wa+0pEE?CkUd
zF;B$RK#t2-U!okp_lLe5KaOm?v41>s<%jpjI|ENIA`3M_9Dg{I`TMc>(~o%UFIQhC
z#J3+h4Dlb|?L|zPV5LHVU3y|PyU0UfvT7rmWQAF_$`$@noMNS-S)MZSo8{H&Xm(Sm
zU7<`?@wwFy`BJW&n_}Zj!uAvgT`N2YjaAQ<H7RWHD(p#CnrD@$PGBWgnlj7tW+?$X
zSLJn+jTK8XMWbxZ%@(Gn=lD#`DvYJX8ynoMivXmzLlJ1oLuAZY5pF$fn5;Zom>$g@
zkZ-b3HiZ|3r>7@blkc4_77B+a3JKI`)wYkFhhi_x`wo}xDP}de3PgB%tGZ;&QAV?c
zTxo`VOYg!c%o(LJD^8omf>|gtqcB@2WV4J-uqC-C-8zeW8)O<lq39=Bt0Aohv%JW$
znJ=v!7B&QHDG!fYh(UP{t4T-X*!YIGEnT+hHJd`6?7>`KUuJ=<yM!NDO8Vj8;|OxP
zE675T6{pPUX|p_oAg8;6q-ATe9x0JvvCv~;Pll`|!v=Fb*SI2-$AXZDQNTQx38g&6
z#xLUQrfi8F1c%kioz-Ts04tWv=>p`^P00qAfnZJP%4XDLN_;btO4w{+mG1}!Ed{6_
zTD_E;At`k)K#W#w`(VfPoGly?3g&^zTI4uw15DKcxUIMgNd`k%nKDY9NQ(wY0xzYq
z34)N!ZeBQ*w_!zLvf-u(0$!)gEOJ*02lc_*IyKn+R2OCuT$jw^jEOH@nAMixI|0S5
z5H|-Caqb`r-vP6nxuOMr1*?JHG`}Q<AO}UU0YzZh?yVFH3~QDl#rYx266PgexMw#P
zSrGZYr${vY6nA#Khiag7AS@T`$~|JUKLQF$M`o}KH7Eto3FN}%po(z_styx$NirmI
z3rZ$1N4f%aAn-zq`8)t64dq4khK6E{J5&My!ip7JfpwrgI5Rz)qat9;U>l<8?P@7_
zO~IDewq(#`HRUxKZ|!s{0&+Qcd8+d=ehrCuKAE*<nrwo>CwycY1-DgQpmh)4otf)@
zH-0wWY#@BDcnEeANMot@_40h@^~4g=2Q3rSIBgctE*gT{LTPdWkOT6F8bsPf4mtn7
zZtwiBXy<>h*ZDvAIPE2$(&T}@oAwgWiQpSpID|nF^@BB&m>J?x_&appq;e$z@onkI
zu-&I4$g*h6$MsM&ibZ%LE5LZlCYowjJtS;E7CtntSc@xiG@bPh`%`ms!{8I$$M7Xq
zoHME7ddvp!I=xL9K#-)CP&9pQu9W6pU+##e-*xq7irt%uS1XuPRAn8vUy)(xpmNhi
zL6Om0=0mI>qSKY3?O$s<<n_S>Pz;?23I<wcan>xuT&KGuNa#!|_(Z@Wax0d&mM&wi
z>QNItGchz|+(t1DS&>qHHmcKZ{(q|Ir9M`v!qKNZ)S)ha83qiE#g;by3xrb}+-#~g
zxGyFJtWMU^2YXo0qjysWqouji;%%(xqIWrtw%&()C9thLwbt!6yR5aGJaD;BX#{sk
z`-Fa#+s{M+5=M3bH*NAz>nmAs*iIN)gg}?7@yJQqsezpb+W9VQUP@qc`Y~<(u`7)k
zi|o-_Gkk1Jiz4uaMN<^D2n!*==YmkxD3I}!Mi911cyU1Zy-sMw359Zb2>*53ld-fA
zig0%&Mh&fjU9KeG#;a#HE<L@lReid8VfEb7YL!_q0t`Hw_ym>*8lolO5Ah_@O>^YJ
zxj?aNla*5uP!~8b#@O115i|iSPl_`(#ef-&ym6ixk1@l_8w-<Kx3)*+t8EfPx_}Ka
z3mw#rd_;rl=q?WQ^LcX`qt0x1aipU|-1v0fl)!*z5pX(r#N?6YI1vDJpS(@aVS4{P
zv)F>3=vW+32%}b>7cxtzkS(qO#FiE^)+LmUrG-*ydP*aa={XWp3XK!}O?VAsK<Hr*
zv<1><&{uN)hrfE;ng6HS`Nw*l|K{_l^Y8zl*ZG4yCM0X8V^TDhM5qaYh~XN1hnPtm
z?2!3`>f<29Am3M|I7oGdnpoEcr|AdN0j7Y^(?p;gccq8vho%EqgRG&m1c8Jwb8IoG
zoTOr0@Qe4yBi$A~#7c70Fdhb)K!)OEny=ouImy+kcSSl5f>2b*I$ufplED*M6MH&`
z0l7mEZ9juk9r8IOO9`eegHVf+LeuSB(R3nUUlLVdOEu(OJ@C?-+6naQap_o|kJA#Q
z9w|!<Dr2)r!%;|sBrQkg)kz@oMryP0dR>Nw1|70A+628yTw-`moHa;CQRa9a22;=~
z6%GLc)35djUnulZJrE9`MgNBu$c+Jw@t4Bn>_noh6AT>>@#rK<Ti_&8YikpMpO85v
zwHf=siER<`6B>eihJH#P7%I`ks}@1DlG~A<_)_EOpJfrj1f$A}n@f+ddw2$UmJ&GA
zrCADbJl>}MayT=cfpy!qIOguB=wwA(Ak%ledSVlk_#L#4f#pO<8*8J73!H2;JKSwI
zQJTXAp8A_U3<3qcDQI{t)F1SMsb3$QAPZK*soclJm$u^+PA}2pZ<`4gWQM~E9S;}Q
zx8m-H(x6)vatQPa=@K7-wrD8It7)v{Y?I>m)+3JBidzsVu1!+HNg}r3Xwx`%vWZ;%
zik{Vm9O5WbRq28qeYVzx7mwtS19vc7EL1Q^qq^wuq~)@?xuVNjho+xFZ}eP5w<$oz
zdC-&`u@ff8l9_;Ri^d>QoGX#H?qflzgtz;x`w*#h9@Fh?=)vB#*B2`5+7B?3p-^}o
z*AGER&Yy?#-yDfQ{kJ_MzrXr3a{hNpz0UvPtakqUGFPsR_c}l1fqc<94CiEMtku97
z4YyZxyv2{>B3F-<yuS4G#)Y+IjFNcNx43_DaKjhk*@|JF!aRY7r!NhlijDP3_59%T
zPkCyG<FrSIN;tui5`s>o@f84_DR4aipMkP$K?7jT;q_n;W<#_T>>gs%Wz^Ss4x0}P
zIUE?$VWBW%6w7p_g_A>>4(gp*9$BUdAl5%cnKlVTm9!9W($N?mpi(A@ahE%7+?FIx
z(5)@3-C4P8&~?m=S(-C(g6~=xw@@hikhUMU4_|qd7m~Q9Xo%!G-eT4AjauH~#zcG;
zrv8%JUOZxMoU1IZo?{KJ`?3fAkb4z(P^?fx`=hNiNrl4;ce!u;8tS4KTp3EtXtJpj
ziX35D%%hOvxHg|$V`{e0f3PE=KMSGLB`JLdu7Jz`{4HGpKl$^%E8sV-UBCJK{_(Hu
z%B!)^aY_0MI^YuGi?>Dm!rO#+`jtV%k8bQAzyCA--XP*q?shTG-6X^>{b(rSy)1M2
z^$y~zX^gL(I?~y7e|cxhSFcfdzxP&ed4F^R<^AUVy_qY|{<~A&A7kgQ(ymt?JwP1f
gvGQYz@$-M`i}B5C*FSm(m-Cs+Q=J$;LyRB)7wymPdH?_b

literal 0
HcmV?d00001

diff --git a/testing/btest/core/connection_flip_roles.bro b/testing/btest/core/connection_flip_roles.bro
new file mode 100644
index 0000000000..e68d94c5fe
--- /dev/null
+++ b/testing/btest/core/connection_flip_roles.bro
@@ -0,0 +1,39 @@
+# @TEST-EXEC: bro -b -r $TRACES/tcp/handshake-reorder.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+# This tests the Connection::FlipRoles code path (SYN/SYN-ACK reversal).
+
+# The check of likely_server_ports is before Connection::FlipRoles, so
+# need to make sure that isn't the mechanism used to flip src/dst stuff.
+redef likely_server_ports = {};
+
+global first_packet: bool = T;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	if ( ! first_packet )
+		return;
+
+	first_packet = F;
+
+	print "schedule_analyzer, current conn_id", c$id;
+	# Anticipate roles getting flipped in next packet.
+	Analyzer::schedule_analyzer(141.142.228.5, 192.150.187.43, 80/tcp,
+	                            Analyzer::ANALYZER_HTTP, 2mins);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	print "connection_state_remove", c$id;
+	}
+
+event http_request(c: connection, method: string, original_URI: string,
+                   unescaped_URI: string, version: string)
+	{
+	print "http_request", version, method, original_URI;
+	}
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	print "http_reply", version, code, reason;
+	}

From 6cd9358a71aaf4d2e424a5d15964b83f03f1e1ac Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 12 Mar 2014 10:01:17 -0400
Subject: [PATCH 092/220] Ascii input reader now supports all config options
 per-input stream.

---
 src/input/readers/Ascii.cc | 59 ++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 22 deletions(-)

diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc
index 4fd24de73d..393793c3cb 100644
--- a/src/input/readers/Ascii.cc
+++ b/src/input/readers/Ascii.cc
@@ -14,6 +14,7 @@
 #include <errno.h>
 
 using namespace input::reader;
+using namespace threading;
 using threading::Value;
 using threading::Field;
 
@@ -50,27 +51,7 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	file = 0;
 	mtime = 0;
-
-	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
-			  BifConst::InputAscii::separator->Len());
-
-	if ( separator.size() != 1 )
-		Error("separator length has to be 1. Separator will be truncated.");
-
-	set_separator.assign( (const char*) BifConst::InputAscii::set_separator->Bytes(),
-		              BifConst::InputAscii::set_separator->Len());
-
-	if ( set_separator.size() != 1 )
-		Error("set_separator length has to be 1. Separator will be truncated.");
-
-	empty_field.assign( (const char*) BifConst::InputAscii::empty_field->Bytes(),
-			    BifConst::InputAscii::empty_field->Len());
-
-	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
-			    BifConst::InputAscii::unset_field->Len());
-
-	formatter = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(string(), set_separator, unset_field, empty_field));
-}
+	}
 
 Ascii::~Ascii()
 	{
@@ -90,7 +71,41 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
-	mtime = 0;
+	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
+	                 BifConst::InputAscii::separator->Len());
+
+	set_separator.assign( (const char*) BifConst::InputAscii::set_separator->Bytes(),
+	                     BifConst::InputAscii::set_separator->Len());
+
+	empty_field.assign( (const char*) BifConst::InputAscii::empty_field->Bytes(),
+	                   BifConst::InputAscii::empty_field->Len());
+
+	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
+	                   BifConst::InputAscii::unset_field->Len());
+
+	// Set per-filter configuration options.
+	for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
+		{
+		if ( strcmp(i->first, "separator") == 0 )
+			separator.assign(i->second);
+		
+		else if ( strcmp(i->first, "set_separator") == 0 )
+			set_separator.assign(i->second);
+		
+		else if ( strcmp(i->first, "empty_field") == 0 )
+			empty_field.assign(i->second);
+
+		else if ( strcmp(i->first, "unset_field") == 0 )
+			unset_field.assign(i->second);
+		}
+
+	if ( separator.size() != 1 )
+		Error("separator length has to be 1. Separator will be truncated.");
+
+	if ( set_separator.size() != 1 )
+		Error("set_separator length has to be 1. Separator will be truncated.");
+
+	formatter = new formatter::Ascii(this, formatter::Ascii::SeparatorInfo(separator, set_separator, unset_field, empty_field));
 
 	file = new ifstream(info.source);
 	if ( ! file->is_open() )

From c591e4f57f11d46f31f332b4a2f2115fca370bf1 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 12 Mar 2014 10:01:59 -0400
Subject: [PATCH 093/220] Expanded support for modifying the timestamp format
 in the JSON formatter.

---
 .../base/frameworks/logging/writers/ascii.bro |  6 ++--
 scripts/base/init-bare.bro                    | 18 +++++++++++
 src/logging.bif                               |  2 +-
 src/logging/writers/Ascii.cc                  | 30 ++++++++++++++++---
 src/logging/writers/Ascii.h                   |  5 ++--
 src/logging/writers/ElasticSearch.cc          |  2 +-
 src/threading/formatters/JSON.cc              | 14 +++++----
 src/threading/formatters/JSON.h               | 11 +++++--
 8 files changed, 69 insertions(+), 19 deletions(-)

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index 68219cb964..2a887e64c0 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -25,10 +25,8 @@ export {
 	const use_json = F &redef;
 
 	## By default, the JSON formatter will use double values for timestamps
-	## which represent the number of seconds from the UNIX epoch.  By setting
-	## this to 'T', it will use the 8601 format.  This is also available as 
-	## a per-filter $config option.
-	const json_iso_timestamps = F &redef;
+	## which represent the number of seconds from the UNIX epoch.
+	const json_timestamps: JSON::TimestampFormat = JSON::TS_EPOCH &redef;
 
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index afb89ba1c7..0af4f0fb9d 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3057,6 +3057,24 @@ const record_all_packets = F &redef;
 ## .. bro:see:: conn_stats
 const ignore_keep_alive_rexmit = F &redef;
 
+module JSON;
+export {
+	type TimestampFormat: enum {
+		## Timestamps will be formatted as UNIX epoch doubles.  This is
+		## the format that Bro typically writes out timestamps.
+		TS_EPOCH,
+		## Timestamps will be formatted as unsigned integers that 
+		## represent the number of milliseconds since the UNIX
+		## epoch.
+		TS_MILLIS,
+		## Timestamps will be formatted in the ISO8601 DateTime format.
+		## Subseconds are also included which isn't actually part of the
+		## standard but most things that parse ISO8601 seem to be able
+		## to cope with that.
+		TS_ISO8601,
+	};
+}
+
 module Tunnel;
 export {
 	## The maximum depth of a tunnel to decapsulate until giving up.
diff --git a/src/logging.bif b/src/logging.bif
index f12aa50c1c..062e4dbe31 100644
--- a/src/logging.bif
+++ b/src/logging.bif
@@ -78,7 +78,7 @@ const set_separator: string;
 const empty_field: string;
 const unset_field: string;
 const use_json: bool;
-const json_iso_timestamps: bool;
+const json_timestamps: JSON::TimestampFormat;
 
 # Options for the DataSeries writer.
 
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index 976c083eda..e0d1293b70 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -11,6 +11,7 @@
 #include "Ascii.h"
 
 using namespace logging::writer;
+using namespace threading;
 using threading::Value;
 using threading::Field;
 
@@ -59,7 +60,6 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
-	json_iso_timestamps = BifConst::LogAscii::json_iso_timestamps;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -86,6 +86,13 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			BifConst::LogAscii::meta_prefix->Len()
 			);
 
+	ODesc tsfmt;
+	BifConst::LogAscii::json_timestamps->Describe(&tsfmt);
+	json_timestamps.assign(
+			(const char*) tsfmt.Bytes(),
+			tsfmt.Len()
+			);
+
 	// Set per-filter configuration options.
 	for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
@@ -142,13 +149,28 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 
 		else if ( strcmp(i->first, "meta_prefix") == 0 )
 			meta_prefix.assign(i->second);
+		
+		else if ( strcmp(i->first, "json_timestamps") == 0 )
+			json_timestamps.assign(i->second);
 		}
 
-
 	if ( use_json )
 		{
+		formatter::JSON::TimeFormat tf = formatter::JSON::TS_EPOCH;
 		// Write out JSON formatted logs.
-		formatter = new threading::formatter::JSON(this, json_iso_timestamps);
+		if ( strcmp(json_timestamps.c_str(), "JSON::TS_EPOCH") == 0 )
+			tf = formatter::JSON::TS_EPOCH;
+		else if ( strcmp(json_timestamps.c_str(), "JSON::TS_MILLIS") == 0 )
+			tf = formatter::JSON::TS_MILLIS;
+		else if ( strcmp(json_timestamps.c_str(), "JSON::TS_ISO8601") == 0 )
+			tf = formatter::JSON::TS_ISO8601;
+		else
+			{
+			Error(Fmt("Invalid JSON timestamp format: %s", json_timestamps.c_str()));
+			return false;
+			}
+
+		formatter = new formatter::JSON(this, tf);
 		// Using JSON implicitly turns off the header meta fields.
 		include_meta = false;
 		}
@@ -157,7 +179,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		// Use the default "Bro logs" format.
 		desc.EnableEscaping();
 		desc.AddEscapeSequence(separator);
-		formatter = new threading::formatter::Ascii(this, threading::formatter::Ascii::SeparatorInfo(separator, set_separator, unset_field, empty_field));
+		formatter = new formatter::Ascii(this, formatter::Ascii::SeparatorInfo(separator, set_separator, unset_field, empty_field));
 		}
 
 	string path = info.path;
diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h
index d131a289b4..a70f3c2c5e 100644
--- a/src/logging/writers/Ascii.h
+++ b/src/logging/writers/Ascii.h
@@ -47,14 +47,15 @@ private:
 	bool output_to_stdout;
 	bool include_meta;
 	bool tsv;
-	bool use_json;
-	bool json_iso_timestamps;
 
 	string separator;
 	string set_separator;
 	string empty_field;
 	string unset_field;
 	string meta_prefix;
+	
+	bool use_json;
+	string json_timestamps;
 
 	threading::formatter::Formatter* formatter;
 };
diff --git a/src/logging/writers/ElasticSearch.cc b/src/logging/writers/ElasticSearch.cc
index 0a18e624ea..45549cb565 100644
--- a/src/logging/writers/ElasticSearch.cc
+++ b/src/logging/writers/ElasticSearch.cc
@@ -52,7 +52,7 @@ ElasticSearch::ElasticSearch(WriterFrontend* frontend) : WriterBackend(frontend)
 
 	curl_handle = HTTPSetup();
 
-	json = new threading::formatter::JSON(this, false);
+	json = new threading::formatter::JSON(this, threading::formatter::JSON::TS_MILLIS);
 }
 
 ElasticSearch::~ElasticSearch()
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 57e9d58527..0523d38f8b 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -10,9 +10,9 @@
 
 using namespace threading::formatter;
 
-JSON::JSON(MsgThread* t, bool json_iso_timestamps) : Formatter(t)
+JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t)
 	{
-	iso_timestamps = json_iso_timestamps;
+	timestamps = tf;
 	}
 
 JSON::~JSON()
@@ -102,7 +102,7 @@ bool JSON::Describe(ODesc* desc, Value* val) const
 
 		case TYPE_TIME:
 			{
-			if ( iso_timestamps )
+			if ( timestamps == TS_ISO8601 )
 				{
 				char buffer[40];
 				time_t t = time_t(val->val.double_val);
@@ -118,14 +118,18 @@ bool JSON::Describe(ODesc* desc, Value* val) const
 					desc->AddRaw("\"", 1);
 					}
 				}
-			else
+			else if ( timestamps == TS_EPOCH )
+				{
+				desc->Add(val->val.double_val);
+				}
+			else if ( timestamps == TS_MILLIS )
 				{
 				// ElasticSearch uses milliseconds for timestamps and json only
 				// supports signed ints (uints can be too large).
 				uint64_t ts = (uint64_t) (val->val.double_val * 1000);
 				if ( ts >= INT64_MAX )
 					{
-					thread->Error(thread->Fmt("time value too large for JSON: %" PRIu64, ts));
+					thread->Error(thread->Fmt("time value too large for JSON milliseconds: %" PRIu64, ts));
 					desc->AddRaw("null", 4);
 					}
 				else
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index b15da075cd..d21a705ce1 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -13,7 +13,14 @@ namespace threading { namespace formatter {
   */
 class JSON : public Formatter {
 public:
-	JSON(threading::MsgThread* t, bool json_iso_timestamps);
+
+	enum TimeFormat {
+		TS_EPOCH,   // Doubles that represents seconds from the UNIX epoch.
+		TS_ISO8601, // ISO 8601 defined human readable timestamp format.
+		TS_MILLIS   // Milliseconds from the UNIX epoch.  Some things need this (elasticsearch).
+		};
+
+	JSON(threading::MsgThread* t, TimeFormat tf);
 	virtual ~JSON();
 
 	virtual bool Describe(ODesc* desc, threading::Value* val) const;
@@ -23,7 +30,7 @@ public:
 	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
 
 private:
-	bool iso_timestamps;
+	TimeFormat timestamps;
 };
 
 }}

From ed7f658ee2f6bf63ac4b6a5bcc37e1182b6337d6 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 12 Mar 2014 10:10:40 -0400
Subject: [PATCH 094/220] Updating a couple of tests.

---
 .../Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log | 2 +-
 .../base/frameworks/logging/ascii-json-iso-timestamps.bro       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
index 9e4e74c018..180d6a4374 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json/ssh.log
@@ -1 +1 @@
-{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":1215620010543,"iv":100.0,"s":"hurz","sc":[2,4,1,3],"ss":["CC","AA","BB"],"se":[],"vc":[10,20,30],"ve":[],"f":"SSH::foo\u000a{ \u000aif (0 < SSH::i) \u000a\u0009return (Foo);\u000aelse\u000a\u0009return (Bar);\u000a\u000a}"}
+{"b":true,"i":-42,"e":"SSH::LOG","c":21,"p":123,"sn":"10.0.0.0/24","a":"1.2.3.4","d":3.14,"t":1215620010.54321,"iv":100.0,"s":"hurz","sc":[2,4,1,3],"ss":["CC","AA","BB"],"se":[],"vc":[10,20,30],"ve":[],"f":"SSH::foo\u000a{ \u000aif (0 < SSH::i) \u000a\u0009return (Foo);\u000aelse\u000a\u0009return (Bar);\u000a\u000a}"}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro
index f9541edda7..fa2a6f1efd 100644
--- a/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-iso-timestamps.bro
@@ -5,7 +5,7 @@
 # Testing all possible types.
 
 redef LogAscii::use_json = T;
-redef LogAscii::json_iso_timestamps = T;
+redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 
 module SSH;
 

From 302c063874f03c94eb0f96c974a2d0e2f137e51f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 12 Mar 2014 15:59:05 -0500
Subject: [PATCH 095/220] Improve DBG_LOG macro (perf. improvement for
 --enable-debug mode).

Many usages of this macro do some string formatting work inline in the
arguments that end up being unnecessary because the debug stream is
disabled.
---
 src/DebugLogger.h | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index d1f053788e..8546839988 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -33,10 +33,12 @@ enum DebugStream {
 	NUM_DBGS // Has to be last
 };
 
-#define DBG_LOG(args...) debug_logger.Log(args)
-#define DBG_LOG_VERBOSE(args...) \
-	if ( debug_logger.IsVerbose() ) \
-		debug_logger.Log(args)
+#define DBG_LOG(stream, args...) \
+	if ( debug_logger.IsEnabled(stream) ) \
+		debug_logger.Log(stream, args)
+#define DBG_LOG_VERBOSE(stream, args...) \
+	if ( debug_logger.IsVerbose() && debug_logger.IsEnabled(stream) ) \
+		debug_logger.Log(stream, args)
 #define DBG_PUSH(stream) debug_logger.PushIndent(stream)
 #define DBG_POP(stream) debug_logger.PopIndent(stream)
 

From a42b865bedb6b40bfeb44fc203bb1a7ef744dd7d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Wed, 12 Mar 2014 17:23:48 -0700
Subject: [PATCH 096/220] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 54b321009b..fe27162849 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 54b321009b750268526419bdbd841f421c839313
+Subproject commit fe271628492b7b837b3fbcf4626061c8b3568589
diff --git a/aux/bro-aux b/aux/bro-aux
index ebf9c0d88a..d7ac87294f 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit ebf9c0d88ae8230845b91f15755156f93ff21aa8
+Subproject commit d7ac87294f415b5ddf3fc81bcae29815d2f835b1
diff --git a/aux/broccoli b/aux/broccoli
index 52ba12128e..3138e5068e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 52ba12128e0673a09cbc7a68b8485f5d19030633
+Subproject commit 3138e5068eeeb374c39c3d3b05b482b84d1f6e9c
diff --git a/aux/broctl b/aux/broctl
index 07349a4593..756eb3e5bd 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 07349a459372d72b333bbc50e5f70584520c0bb3
+Subproject commit 756eb3e5bd63a830cfb0fab3ab6a41115f02c05b

From 0d50b8b04ff2551ce816afaa15b94d54e8cdc910 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 00:05:48 -0700
Subject: [PATCH 097/220] Change x509 log - now certificates are only logged
 once per hour.

Add parsing of several more types to SAN extension.

Make error messages of x509 file analyzer more useful.

Fix file ID generation.

You apparently have to be very careful which EndOfFile function of
the file analysis framework you call... otherwhise it might try
to close another file id. This took me quite a while to find.

addresses BIT-953, BIT-760, BIT-1150
---
 scripts/base/files/x509/main.bro              | 40 ++++++++--
 scripts/base/init-bare.bro                    | 18 +++--
 scripts/base/protocols/ssl/files.bro          | 79 ++++++++++++++-----
 src/analyzer/protocol/ssl/events.bif          |  6 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  4 +-
 src/file_analysis/Manager.h                   |  2 +-
 src/file_analysis/analyzer/x509/X509.cc       | 79 ++++++++++++++++---
 src/file_analysis/analyzer/x509/events.bif    | 55 ++++++++++++-
 src/file_analysis/analyzer/x509/functions.bif | 12 ++-
 src/file_analysis/analyzer/x509/types.bif     |  2 +-
 10 files changed, 242 insertions(+), 55 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index b20c6c715e..8192fb9e42 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -6,12 +6,15 @@ module X509;
 export {
 	redef enum Log::ID += { LOG };
 
+	## Set that keeps track of the certificates which were logged recently.
+	global cert_hashes: set[string] &create_expire=1hrs &synchronized &redef;
+
 	type Info: record {
 		## current timestamp
-		ts: time &log &default=network_time();
+		ts: time &log;
 
-		## file id of this certificate
-		id: string &log;
+		## SHA-1 hash of this certificate
+		sha1: string &log &optional;
     
 		## Basic information about the certificate
 		certificate: X509::Certificate &log;
@@ -24,7 +27,7 @@ export {
 		extensions: vector of X509::Extension &default=vector();
 
 		## Subject alternative name extension of the certificate
-		san: string_vec &optional &log;
+		san: X509::SubjectAlternativeName &optional &log;
 
 		## Basic constraints extension of the certificate
 		basic_constraints: X509::BasicConstraints &optional &log;
@@ -45,9 +48,20 @@ redef record Files::Info += {
 	x509: X509::Info &optional;
 };
 
+# Either, this event arrives first - then info$x509 does not exist 
+# yet and this is a no-op, and the sha1 value is set in x509_certificate.
+# Or the x509_certificate event arrives first - then the hash is set here.
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( f$info?$x509 && kind == "sha1" )
+		f$info$x509$sha1 = hash;
+	}
+
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	f$info$x509 = [$id=f$id, $certificate=cert, $handle=cert_ref];
+	f$info$x509 = [$ts=f$info$ts, $certificate=cert, $handle=cert_ref];
+	if ( f$info?$sha1 )
+		f$info$x509$sha1 = f$info$sha1;
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
@@ -62,10 +76,10 @@ event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &prior
 		f$info$x509$basic_constraints = ext;
 	}
 
-event x509_ext_subject_alternative_name(f: fa_file, names: string_vec) &priority=5
+event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &priority=5
 	{
 	if ( f$info?$x509 )
-		f$info$x509$san = names;
+		f$info$x509$san = ext;
 	}
 
 event file_state_remove(f: fa_file) &priority=5
@@ -73,5 +87,17 @@ event file_state_remove(f: fa_file) &priority=5
 	if ( ! f$info?$x509 )
 		return;
 
+	if ( ! f$info$x509?$sha1 )
+		{
+		Reporter::error(fmt("Certificate without a hash value. Logging skipped. File-id: %s", f$id));
+		return;
+		}
+
+	if ( f$info$x509$sha1 in cert_hashes )
+		# we already have seen & logged this certificate
+		return;
+
+	add cert_hashes[f$info$x509$sha1];
+
 	Log::write(LOG, f$info$x509);
 	}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f59355895d..ad01d4ef87 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2750,7 +2750,7 @@ export {
 
 module X509;
 export {
-	type X509::Certificate: record {
+	type Certificate: record {
 		version: count;	##< Version number.
 		serial: string;	##< Serial number.
 		subject: string;	##< Subject.
@@ -2767,7 +2767,7 @@ export {
 		#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
 	} &log;
 
-	type X509::Extension: record {
+	type Extension: record {
 		name: string; ##< long name of extension. oid if name not known
 		short_name: string &optional; ##< short name of extension if known.
 		oid: string; ##< oid of extension
@@ -2775,13 +2775,21 @@ export {
 		value: string; ##< extension content parsed to string for known extensions. Raw data otherwise.
 	};
 
-	type X509::BasicConstraints: record {
+	type BasicConstraints: record {
 		ca: bool; ##< CA flag set?
-		path_len: count &optional;
+		path_len: count &optional; ##< maximum path length
 	} &log;
+
+	type SubjectAlternativeName: record {
+		dns: string_vec &optional &log; ##< list of DNS entries in SAN
+		uri: string_vec &optional &log; ##< list of URI entries in SAN
+		email: string_vec &optional &log; ##< list of email entries in SAN
+		ip: addr_vec &optional &log; ##< list of IP entries in SAN
+		other_fields: bool; ##< true if the certificate contained other, not recognized or parsed name fields
+	};
 	
 	## Result of an X509 certificate chain verification
-	type X509::Result: record {
+	type Result: record {
 		## OpenSSL result code
 		result:	count;
 		## Result as string
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index a10a3f5f76..18bf3c3236 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -11,29 +11,34 @@ export {
 		## complete signing chain.
 		cert_chain: vector of Files::Info &optional;
 
-		## An ordered vector of all certicate file unique IDs for the
+		## An ordered vector of all certicate sha1 hashes for the
 		## certificates offered by the server.
-		cert_chain_fuids: vector of string &optional &log;
+		cert_chain_sha1s: vector of string &optional &log;
 
 		## Chain of certificates offered by the client to validate its
 		## complete signing chain.
 		client_cert_chain: vector of Files::Info &optional;
 		
-		## An ordered vector of all certicate file unique IDs for the
+		## An ordered vector of all certicate sha1 hashes for the
 		## certificates offered by the client.
-		client_cert_chain_fuids: vector of string &optional &log;
+		client_cert_chain_sha1s: vector of string &optional &log;
 		
 		## Subject of the X.509 certificate offered by the server.
-		subject:          string           &log &optional;
+		subject: string &log &optional;
 		## Subject of the signer of the X.509 certificate offered by the
 		## server.
-		issuer:   string           &log &optional;
+		issuer: string &log &optional;
 		
 		## Subject of the X.509 certificate offered by the client.
-		client_subject:          string           &log &optional;
+		client_subject: string &log &optional;
 		## Subject of the signer of the X.509 certificate offered by the
 		## client.
-		client_issuer:   string           &log &optional;
+		client_issuer: string &log &optional;
+
+		## current number of certificates seen from either side. Used
+		## to create file handles
+		server_depth: count &default=0;
+		client_depth: count &default=0;
 	};
 
 	## Default file handle provider for SSL.
@@ -45,7 +50,22 @@ export {
 
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	return cat(Analyzer::ANALYZER_SSL, c$start_time);
+	set_session(c);
+
+	local depth: count;
+
+	if ( is_orig )
+		{
+		depth = c$ssl$client_depth;
+		++c$ssl$client_depth;
+		}
+	else
+		{
+		depth = c$ssl$server_depth;
+		++c$ssl$server_depth;
+		}
+
+	return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
 	}
 
 function describe_file(f: fa_file): string
@@ -54,7 +74,19 @@ function describe_file(f: fa_file): string
 	if ( f$source != "SSL" )
 		return "";
 
-	# Fixme!
+	# It is difficult to reliably describe a certificate - especially since
+	# we do not know when this function is called (hence, if the data structures
+	# are already populated).
+	#
+	# Just return a bit of our connection information and hope that that is good enough.
+	for ( cid in f$conns )
+		{
+		if ( f$conns[cid]?$ssl )
+			{
+			local c = f$conns[cid];
+			return cat(c$id$resp_h, ":", c$id$resp_p);
+			}
+		}
 
 	return "";
 	}
@@ -75,30 +107,22 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		c$ssl$cert_chain = vector();
 		c$ssl$client_cert_chain = vector();
-		c$ssl$cert_chain_fuids = string_vec();
-		c$ssl$client_cert_chain_fuids = string_vec();
 		}	
 
 	if ( is_orig )
-		{
 		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
-		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
-		}
 	else
-		{
 		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
-		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
-		}
 
 	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# always calculate hashes for certificates
+	# always calculate hashes. SHA1 is always required for certificates.
 	Files::add_analyzer(f, Files::ANALYZER_MD5);
 	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
 	{
-	# update subject and issuer information
+	# update subject and issuer information as well as sha1 hashes
 	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
 		{
 		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
@@ -110,4 +134,19 @@ event ssl_established(c: connection) &priority=6
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
 		}
+
+
+	if ( c$ssl?$cert_chain )
+		{
+		c$ssl$cert_chain_sha1s = string_vec();
+		for ( i in c$ssl$cert_chain )
+			c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
+		}
+
+	if ( c$ssl?$client_cert_chain )
+		{
+		c$ssl$client_cert_chain_sha1s = string_vec();
+		for ( i in c$ssl$client_cert_chain )
+			c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
+		}
 	}
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 32a648f2d3..054d9c672f 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -25,7 +25,7 @@
 ##          :bro:id:`SSL::cipher_desc` table maps them to descriptive names.
 ##
 ## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake x509_certificate
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -58,7 +58,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##              standardized as part of the SSL/TLS protocol.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
+##    ssl_session_ticket_handshake x509_certificate
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -92,7 +92,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## c: The connection.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello  ssl_extension ssl_server_hello
-##    ssl_session_ticket_handshake
+##    ssl_session_ticket_handshake x509_certificate
 event ssl_established%(c: connection%);
 
 ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 635274793c..3fdf13713d 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -235,9 +235,9 @@ refine connection SSL_Conn += {
 			{
 			const bytestring& cert = (*certificates)[i];
 
-			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(), 
+			string fid = file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(),
 					bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), ${rec.is_orig});
-			file_mgr->EndOfFile(bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn());
+			file_mgr->EndOfFile(fid);
 			}
 		return true;
 		%}
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 649f82c164..2e7d7a7de4 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -108,7 +108,7 @@ public:
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
 	 *         the \c get_file_handle script-layer event).  An empty string
-	 *         indicates the associate file is not going to be analyzed further.
+	 *         indicates the associated file is not going to be analyzed further.
 	 */
 	std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	                   Connection* conn, bool is_orig,
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 4109781193..8a429489e8 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -45,7 +45,7 @@ bool file_analysis::X509::EndOfFile()
 	::X509* ssl_cert = d2i_X509(NULL, &cert_char, cert_data.size());
 	if ( !ssl_cert )
 		{
-		reporter->Error("Could not parse X509 certificate");
+		reporter->Error("Could not parse X509 certificate. fuid %s", GetFile()->GetID().c_str());
 		return false;
 		}
 
@@ -222,7 +222,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	BASIC_CONSTRAINTS *constr = (BASIC_CONSTRAINTS *) X509V3_EXT_d2i(ex);
 	if ( !constr ) 
 		{
-		reporter->Error("Certificate with invalid BasicConstraint");
+		reporter->Error("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str());
 		}
 	else 	
 		{
@@ -246,41 +246,96 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	GENERAL_NAMES *altname = (GENERAL_NAMES*)X509V3_EXT_d2i(ext);
 	if ( !altname )
 		{
-		reporter->Error("could not parse subject alternative names");
+		reporter->Error("Could not parse subject alternative names. fuid %s", GetFile()->GetID().c_str());
 		return;
 		}
 
-	VectorVal* names = new VectorVal(internal_type("string_vec")->AsVectorType());
+	VectorVal* names = 0;
+	VectorVal* emails = 0;
+	VectorVal* uris = 0;
+	VectorVal* ips = 0;
+
+	unsigned int otherfields = 0;
 
-	int j = 0;
 	for ( int i = 0; i < sk_GENERAL_NAME_num(altname); i++ ) 
 		{
 		GENERAL_NAME *gen = sk_GENERAL_NAME_value(altname, i);
 		assert(gen);
 
-		if ( gen->type == GEN_DNS )
+		if ( gen->type == GEN_DNS || gen->type == GEN_URI || gen->type == GEN_EMAIL )
 			{
 			if (ASN1_STRING_type(gen->d.ia5) != V_ASN1_IA5STRING) 
 				{
-				reporter->Error("DNS-field does not contain an IA5String");
+				reporter->Error("DNS-field does not contain an IA5String. fuid %s", GetFile()->GetID().c_str());
 				continue;
 				}
 			const char* name = (const char*) ASN1_STRING_data(gen->d.ia5);
 			StringVal* bs = new StringVal(name);
-			names->Assign(j, bs);
-			j++;
+
+			switch ( gen->type )
+				{
+				case GEN_DNS:
+					if ( names == 0 )
+						names = new VectorVal(internal_type("string_vec")->AsVectorType());
+					names->Assign(names->Size(), bs);
+					break;
+
+				case GEN_URI:
+					if ( uris == 0 )
+						uris = new VectorVal(internal_type("string_vec")->AsVectorType());
+					uris->Assign(uris->Size(), bs);
+					break;
+
+				case GEN_EMAIL:
+					if ( emails == 0 )
+						emails = new VectorVal(internal_type("string_vec")->AsVectorType());
+					emails->Assign(emails->Size(), bs);
+					break;
+				}
+			}
+		else if ( gen->type == GEN_IPADD )
+			{
+				if ( ips == 0 )
+					ips = new VectorVal(internal_type("addr_vec")->AsVectorType());
+
+				uint32* addr = (uint32*) gen->d.ip->data;
+				if(gen->d.ip->length == 4 )
+					{
+					ips->Assign(ips->Size(), new AddrVal(*addr));
+					}
+				else if ( gen->d.ip->length == 16 )
+					{
+					ips->Assign(ips->Size(), new AddrVal(addr));
+					}
+				else
+					{
+					reporter->Error("Weird IP address length %d in subject alternative name. fuid %s", gen->d.ip->length, GetFile()->GetID().c_str());
+					continue;
+					}
 			}
 		else 
 			{
-			// we should perhaps sometime parse out ip-addresses
-			reporter->Error("Subject alternative name contained non-dns fields");
+			//reporter->Error("Subject alternative name contained unsupported fields. fuid %s", GetFile()->GetID().c_str());
+			// This happens quite often - just mark it
+			otherfields = 1;
 			continue;
 			}
 		}
 
+		RecordVal* sanExt = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
+		if ( names != 0 )
+			sanExt->Assign(0, names);
+		if ( uris != 0 )
+			sanExt->Assign(1, uris);
+		if ( emails != 0 )
+			sanExt->Assign(2, emails);
+		if ( ips != 0 )
+			sanExt->Assign(3, ips);
+		sanExt->Assign(4, new Val(otherfields, TYPE_BOOL));
+
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(names);
+		vl->append(sanExt);
 
 		mgr.QueueEvent(x509_ext_subject_alternative_name, vl);
 	}
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 2cfc5882a4..a6db8fac44 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,57 @@
+## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS 
+## connection handshake.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+## about the X.509 format.
+##
+## f: The file.
+##
+## cert_ref: An opaque pointer to the underlying OpenSSL data structure of the
+##           certificate.
+##
+## cert: The parsed certificate information.
+##
+## .. bro:see:: x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse x509_verify
+##              x509_get_certificate_string
 event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
+
+## Generated for X509 extensions seen in a certificate.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
+## about the X.509 format.
+##
+## f: The file.
+##
+## ext: The parsed extension.
+##
+## .. bro:see:: x509_certificate x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse x509_verify
+##              x509_get_certificate_string
 event x509_extension%(f: fa_file, ext: X509::Extension%);
+
+## Generated for the X509 basic constraints extension seen in a certificate.
+## This extension can be used to identify the subject of a certificate as a CA.
+##
+## f: The file.
+##
+## ext: The parsed basic constraints extension.
+##
+## .. bro:see:: x509_certificate x509_extension
+##              x509_ext_subject_alternative_name x509_parse x509_verify
+##              x509_get_certificate_string
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
-event x509_ext_subject_alternative_name%(f: fa_file, names: string_vec%);
+
+## Generated for the X509 subject alternative name extension seen in a certificate.
+## This extension can be used to allow additional entities to be bound to the subject
+## of the certificate. Usually it is used to specify one or multiple DNS names for 
+## which a certificate is valid.
+##
+## f: The file.
+##
+## ext: The parsed subject alternative name extension.
+##
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_parse x509_verify
+##              x509_get_certificate_string
+event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 36c261d216..4c1b31942f 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -42,7 +42,9 @@ RecordVal* x509_error_record(uint64_t num, const char* reason)
 ##
 ## Returns: A X509::Certificate structure
 ##
-## .. bro:see:: x509_verify
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_verify
+##              x509_get_certificate_string
 function x509_parse%(cert: opaque of x509%): X509::Certificate
 	%{
 	assert(cert);
@@ -60,7 +62,9 @@ function x509_parse%(cert: opaque of x509%): X509::Certificate
 ##      (false).
 ##
 ## Returns: X509 certificate as a string
-
+##
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse x509_verify
 function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F%): string
 	%{
 	assert(cert);
@@ -101,7 +105,9 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ## Returns: A record of type X509::Result containing the result code of the verify
 ##          operation. In case of success also returns the full certificate chain.
 ##
-## .. bro:see:: x509_parse
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse
+##              x509_get_certificate_string
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
 	%{
 	X509_STORE* ctx = 0;
diff --git a/src/file_analysis/analyzer/x509/types.bif b/src/file_analysis/analyzer/x509/types.bif
index 6b3049883e..258d848e1e 100644
--- a/src/file_analysis/analyzer/x509/types.bif
+++ b/src/file_analysis/analyzer/x509/types.bif
@@ -1,5 +1,5 @@
 type X509::Certificate: record;
 type X509::Extension: record;
 type X509::BasicConstraints: record;
+type X509::SubjectAlternativeName: record;
 type X509::Result: record;
-

From 74d728656d65e5a1c228ec0b6525871819be636b Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 13:38:44 -0700
Subject: [PATCH 098/220] Revert change to only log certificates once per hour.

addresses BIT-953, BIT-760, BIT-1150
---
 scripts/base/files/x509/main.bro     | 32 +++----------------------
 scripts/base/protocols/ssl/files.bro | 36 ++++++++++++----------------
 2 files changed, 18 insertions(+), 50 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 8192fb9e42..8c108c8743 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -6,15 +6,12 @@ module X509;
 export {
 	redef enum Log::ID += { LOG };
 
-	## Set that keeps track of the certificates which were logged recently.
-	global cert_hashes: set[string] &create_expire=1hrs &synchronized &redef;
-
 	type Info: record {
 		## current timestamp
 		ts: time &log;
 
-		## SHA-1 hash of this certificate
-		sha1: string &log &optional;
+		## file id of this certificate
+		id: string &log;
     
 		## Basic information about the certificate
 		certificate: X509::Certificate &log;
@@ -48,20 +45,9 @@ redef record Files::Info += {
 	x509: X509::Info &optional;
 };
 
-# Either, this event arrives first - then info$x509 does not exist 
-# yet and this is a no-op, and the sha1 value is set in x509_certificate.
-# Or the x509_certificate event arrives first - then the hash is set here.
-event file_hash(f: fa_file, kind: string, hash: string)
-	{
-	if ( f$info?$x509 && kind == "sha1" )
-		f$info$x509$sha1 = hash;
-	}
-
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	f$info$x509 = [$ts=f$info$ts, $certificate=cert, $handle=cert_ref];
-	if ( f$info?$sha1 )
-		f$info$x509$sha1 = f$info$sha1;
+	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
@@ -87,17 +73,5 @@ event file_state_remove(f: fa_file) &priority=5
 	if ( ! f$info?$x509 )
 		return;
 
-	if ( ! f$info$x509?$sha1 )
-		{
-		Reporter::error(fmt("Certificate without a hash value. Logging skipped. File-id: %s", f$id));
-		return;
-		}
-
-	if ( f$info$x509$sha1 in cert_hashes )
-		# we already have seen & logged this certificate
-		return;
-
-	add cert_hashes[f$info$x509$sha1];
-
 	Log::write(LOG, f$info$x509);
 	}
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 18bf3c3236..4216f26fe3 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -11,17 +11,17 @@ export {
 		## complete signing chain.
 		cert_chain: vector of Files::Info &optional;
 
-		## An ordered vector of all certicate sha1 hashes for the
+		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the server.
-		cert_chain_sha1s: vector of string &optional &log;
+		cert_chain_fuids: vector of string &optional &log;
 
 		## Chain of certificates offered by the client to validate its
 		## complete signing chain.
 		client_cert_chain: vector of Files::Info &optional;
 		
-		## An ordered vector of all certicate sha1 hashes for the
+		## An ordered vector of all certicate file unique IDs for the
 		## certificates offered by the client.
-		client_cert_chain_sha1s: vector of string &optional &log;
+		client_cert_chain_fuids: vector of string &optional &log;
 		
 		## Subject of the X.509 certificate offered by the server.
 		subject: string &log &optional;
@@ -107,22 +107,31 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		c$ssl$cert_chain = vector();
 		c$ssl$client_cert_chain = vector();
+		c$ssl$cert_chain_fuids = string_vec();
+		c$ssl$client_cert_chain_fuids = string_vec();
 		}	
 
 	if ( is_orig )
+		{
 		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
+		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
+		}
 	else
+		{
 		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
+		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
+		}
 
 	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# always calculate hashes. SHA1 is always required for certificates.
+	# always calculate hashes. They are not necessary for base scripts
+	# but very useful for identification, and required for policy scripts
 	Files::add_analyzer(f, Files::ANALYZER_MD5);
 	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
 	{
-	# update subject and issuer information as well as sha1 hashes
+	# update subject and issuer information
 	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
 		{
 		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
@@ -134,19 +143,4 @@ event ssl_established(c: connection) &priority=6
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;
 		}
-
-
-	if ( c$ssl?$cert_chain )
-		{
-		c$ssl$cert_chain_sha1s = string_vec();
-		for ( i in c$ssl$cert_chain )
-			c$ssl$cert_chain_sha1s[i] = c$ssl$cert_chain[i]$x509$sha1;
-		}
-
-	if ( c$ssl?$client_cert_chain )
-		{
-		c$ssl$client_cert_chain_sha1s = string_vec();
-		for ( i in c$ssl$client_cert_chain )
-			c$ssl$client_cert_chain_sha1s[i] = c$ssl$client_cert_chain[i]$x509$sha1;
-		}
 	}

From 4eb81de08e7438c8b8538e2866c33a4f109df7e7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 13 Mar 2014 14:58:30 -0700
Subject: [PATCH 099/220] Refactoring code to reuse ApplyScheduledAnalyzers().

This is potentially changing the exact time when the
scheduled_analyzer_applied() event is executed, but that should be
fine afaict.
---
 CHANGES                 |  5 +++++
 VERSION                 |  2 +-
 src/analyzer/Manager.cc | 45 ++++++++++++++---------------------------
 src/analyzer/Manager.h  | 11 +++++++++-
 4 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/CHANGES b/CHANGES
index b77c8a7461..e39b7d253f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.2-229 | 2014-03-13 14:58:30 -0700
+
+  * Refactoring analyzer manager code to reuse
+    ApplyScheduledAnalyzers(). (Robin Sommer)
+
 2.2-228 | 2014-03-13 14:25:53 -0700
 
   * Teach async DNS lookup builtin-functions about BRO_DNS_FAKE.
diff --git a/VERSION b/VERSION
index 53c7b50d9d..9e47c5d61f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-228
+2.2-229
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 56b838b5b3..56e8de5c84 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -358,7 +358,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	udp::UDP_Analyzer* udp = 0;
 	icmp::ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
-	tag_set expected;
 	pia::PIA* pia = 0;
 	bool analyzed = false;
 	bool check_port = false;
@@ -368,7 +367,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	case TRANSPORT_TCP:
 		root = tcp = new tcp::TCP_Analyzer(conn);
 		pia = new pia::PIA_TCP(conn);
-		expected = GetScheduled(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated TCP analyzer");
 		break;
@@ -376,7 +374,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	case TRANSPORT_UDP:
 		root = udp = new udp::UDP_Analyzer(conn);
 		pia = new pia::PIA_UDP(conn);
-		expected = GetScheduled(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated UDP analyzer");
 		break;
@@ -393,25 +390,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 		return false;
 	}
 
-	// Any scheduled analyzer?
-	for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ )
-		{
-		Analyzer* analyzer = analyzer_mgr->InstantiateAnalyzer(*i, conn);
-
-		if ( analyzer )
-			{
-			root->AddChildAnalyzer(analyzer, false);
-
-			DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
-					  analyzer_mgr->GetComponentName(*i));
-			}
-
-		}
+	bool scheduled = ApplyScheduledAnalyzers(conn, false, root);
 
 	// Hmm... Do we want *just* the expected analyzer, or all
 	// other potential analyzers as well?  For now we only take
 	// the scheduled ones.
-	if ( expected.size() == 0 )
+	if ( ! scheduled )
 		{ // Let's see if it's a port we know.
 		if ( check_port && ! dpd_ignore_ports )
 			{
@@ -519,13 +503,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	if ( ! analyzed )
 		conn->SetLifetime(non_analyzed_lifetime);
 
-	for ( tag_set::iterator i = expected.begin(); i != expected.end(); i++ )
-		{
-		EnumVal* tag = i->AsEnumVal();
-		Ref(tag);
-		conn->Event(scheduled_analyzer_applied, 0, tag);
-		}
-
 	return true;
 	}
 
@@ -637,12 +614,13 @@ Manager::tag_set Manager::GetScheduled(const Connection* conn)
 	return result;
 	}
 
-void Manager::ApplyScheduledAnalyzers(Connection* conn)
+bool Manager::ApplyScheduledAnalyzers(Connection* conn, bool init, TransportLayerAnalyzer* parent)
 	{
-	TransportLayerAnalyzer* root = conn->GetRootAnalyzer();
+	if ( ! parent )
+		parent = conn->GetRootAnalyzer();
 
-	if ( ! root )
-		return;
+	if ( ! parent )
+		return false;
 
 	tag_set expected = GetScheduled(conn);
 
@@ -653,8 +631,15 @@ void Manager::ApplyScheduledAnalyzers(Connection* conn)
 		if ( ! analyzer )
 			continue;
 
-		root->AddChildAnalyzer(analyzer, true);
+		parent->AddChildAnalyzer(analyzer, init);
+
+		EnumVal* tag = it->AsEnumVal();
+		Ref(tag);
+		conn->Event(scheduled_analyzer_applied, 0, tag);
+
 		DBG_ANALYZER_ARGS(conn, "activated %s analyzer as scheduled",
 		                  analyzer_mgr->GetComponentName(*it));
 		}
+
+	return expected.size();
 	}
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 82ace5bd98..b53f151e75 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -297,8 +297,17 @@ public:
 	 * and then attaches them.
 	 *
 	 * @param conn The connection to which scheduled analyzers are attached.
+	 *
+	 * @param init True if the newly added analyzers should be
+	 * immediately initialized.
+	 *
+	 * @param root If given, the scheduled analyzers will become childs
+	 * of this; if not given the connection's root analyzer is used
+	 * instead.
+	 *
+	 * @return True if at least one scheduled analyzer was found.
 	 */
-	void ApplyScheduledAnalyzers(Connection* conn);
+	bool ApplyScheduledAnalyzers(Connection* conn, bool init_and_event = true, TransportLayerAnalyzer* parent = 0);
 
 	/**
 	 * Schedules a particular analyzer for an upcoming connection. Once

From 4da071851147edefc41560ea1080382d39b70f01 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 15:17:25 -0700
Subject: [PATCH 100/220] Finishing touches of the x509 file analyzer.

Mostly baseline updates and new tests.

addresses BIT-953, BIT-760, BIT-1150
---
 scripts/base/init-bare.bro                    |   2 -
 scripts/base/init-default.bro                 |   4 +-
 scripts/base/protocols/ssl/files.bro          |   7 +-
 .../policy/protocols/ssl/expiring-certs.bro   |   8 +-
 scripts/policy/protocols/ssl/known-certs.bro  |   9 +
 src/file_analysis/analyzer/x509/functions.bif |  11 +-
 .../btest/Baseline/bifs.x509_verify/.stdout   |   7 +
 .../canonified_loaded_scripts.log             |   8 +-
 .../canonified_loaded_scripts.log             |  15 +-
 .../ssl.log                                   |  12 +-
 .../x509.log                                  |  21 +
 .../scripts.base.protocols.ssl.basic/ssl.log  |  10 +-
 .../scripts.base.protocols.ssl.basic/x509.log |  11 +
 .../ssl.log                                   |  10 +-
 .../ssl.log                                   |  10 +-
 .../x509.log                                  |  12 +
 .../all-events-no-args.log                    |  81 ++++
 .../all-events.log                            | 420 +++++++++++++++---
 .../ssl-events.log                            |  18 +-
 .../notice.log                                |  11 +
 .../certs-remote.pem                          |  56 +--
 .../known_certs.log                           |  10 +
 .../ssl.log                                   |  11 +
 .../x509.log                                  |  15 +
 .../ssl.log                                   |  11 +
 .../btest/Traces/tls/google-duplicate.trace   | Bin 0 -> 14122 bytes
 testing/btest/Traces/{ => tls}/ssl.v3.trace   | Bin
 .../{ => tls}/tls-1.2-handshake-failure.trace | Bin
 .../{ => tls}/tls-conn-with-extensions.trace  | Bin
 .../btest/Traces/tls/tls-expired-cert.trace   | Bin 0 -> 14054 bytes
 testing/btest/Traces/{ => tls}/tls1.2.trace   | Bin
 testing/btest/bifs/x509_verify.bro            |  25 ++
 .../scripts/base/protocols/ftp/gridftp.test   |   1 +
 .../scripts/base/protocols/ssl/basic.test     |   3 +-
 .../base/protocols/ssl/tls-1.2-ciphers.test   |   2 +-
 .../ssl/tls-1.2-handshake-failure.test        |   2 +-
 .../base/protocols/ssl/tls-1.2-random.test    |   2 +-
 .../scripts/base/protocols/ssl/tls-1.2.test   |   3 +-
 .../base/protocols/ssl/x509_extensions.test   |   4 +-
 .../btest/scripts/policy/misc/dump-events.bro |   6 +-
 .../policy/protocols/ssl/expiring-certs.bro   |   7 +
 .../protocols/ssl/extract-certs-pem.bro       |   2 +-
 .../policy/protocols/ssl/known-certs.bro      |   9 +
 .../policy/protocols/ssl/validate-certs.bro   |   4 +
 44 files changed, 712 insertions(+), 148 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.x509_verify/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/known_certs.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
 create mode 100644 testing/btest/Traces/tls/google-duplicate.trace
 rename testing/btest/Traces/{ => tls}/ssl.v3.trace (100%)
 rename testing/btest/Traces/{ => tls}/tls-1.2-handshake-failure.trace (100%)
 rename testing/btest/Traces/{ => tls}/tls-conn-with-extensions.trace (100%)
 create mode 100644 testing/btest/Traces/tls/tls-expired-cert.trace
 rename testing/btest/Traces/{ => tls}/tls1.2.trace (100%)
 create mode 100644 testing/btest/bifs/x509_verify.bro
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/known-certs.bro
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-certs.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f845c3e68d..e65cdaf883 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2764,8 +2764,6 @@ export {
 		key_length: count &optional; ##< key-length in bits  
 		exponent: string &optional; ##< exponent, if RSA-certificate
 		curve: string &optional; ##< curve, if EC-certificate
-		#ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
-		#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
 	} &log;
 
 	type Extension: record {
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 91f1157811..b4dca043c0 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -38,9 +38,6 @@
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
 
-# needed for the SSL protocol
-@load base/files/x509
-
 @load base/protocols/conn
 @load base/protocols/dhcp
 @load base/protocols/dnp3
@@ -60,6 +57,7 @@
 @load base/files/hash
 @load base/files/extract
 @load base/files/unified2
+@load base/files/x509
 
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 4216f26fe3..997258a3c3 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -70,8 +70,7 @@ function get_file_handle(c: connection, is_orig: bool): string
 
 function describe_file(f: fa_file): string
 	{
-	# This shouldn't be needed, but just in case...
-	if ( f$source != "SSL" )
+	if ( f$source != "SSL" || ! f?$info || ! f$info?$x509 || ! f$info$x509?$certificate )
 		return "";
 
 	# It is difficult to reliably describe a certificate - especially since
@@ -88,7 +87,9 @@ function describe_file(f: fa_file): string
 			}
 		}
 
-	return "";
+	return cat("Serial: ", f$info$x509$certificate$serial, " Subject: ",
+		f$info$x509$certificate$subject, " Issuer: ",
+		f$info$x509$certificate$issuer);
 	}
 
 event bro_init() &priority=5
diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index a76dc542f4..230c9524cd 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -39,24 +39,24 @@ event ssl_established(c: connection) &priority=3
 		 ! addr_matches_host(c$id$resp_h, notify_certs_expiration) )
 		return;
 
-	local hash = c$ssl$cert_chain[0]$md5;
+	local fuid = c$ssl$cert_chain_fuids[0];
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 	
 	if ( cert$not_valid_before > network_time() )
 		NOTICE([$note=Certificate_Not_Valid_Yet,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
+		        $fuid=fuid]);
 	
 	else if ( cert$not_valid_after < network_time() )
 		NOTICE([$note=Certificate_Expired,
 		        $conn=c, $suppress_for=1day,
 		        $msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
+		        $fuid=fuid]);
 	
 	else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
 		NOTICE([$note=Certificate_Expires_Soon,
 		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
 		        $conn=c, $suppress_for=1day,
-		        $identifier=cat(c$id$resp_h, c$id$resp_p, hash)]);
+		        $fuid=fuid]);
 	}
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index e0e76eb526..739b11e767 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -51,6 +51,15 @@ event ssl_established(c: connection) &priority=3
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 )
 		return;
 
+	local fuid = c$ssl$cert_chain_fuids[0];
+
+	if ( ! c$ssl$cert_chain[0]?$sha1 )
+		{
+		Reporter::error(fmt("Certificate with fuid %s did not contain sha1 hash when checking for known certs. Aborting",
+			fuid));
+		return;
+		}
+
 	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
 
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 4c1b31942f..40af444a98 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -102,13 +102,15 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ##
 ## root_certs: A list of root certificates to validate the certificate chain
 ##
+## verify_time: Time for the validity check of the certificates.
+##
 ## Returns: A record of type X509::Result containing the result code of the verify
 ##          operation. In case of success also returns the full certificate chain.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
 ##              x509_get_certificate_string
-function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string%): X509::Result
+function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	X509_STORE* ctx = 0;
 	int i = 0;
@@ -190,12 +192,13 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 	X509_STORE_CTX csc;
 	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
+	X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_USE_CHECK_TIME);
 
 	int result = X509_verify_cert(&csc);
 
 	VectorVal* chainVector = 0;
-		if ( result == 1 ) // we have a valid chain. try to get it...
+	if ( result == 1 ) // we have a valid chain. try to get it...
 		{
 		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(&csc); // get1 = deep copy
 
@@ -206,7 +209,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			}
 		
 		int num_certs = sk_X509_num(chain);
-		chainVector = new VectorVal(new VectorType(base_type(TYPE_OPAQUE)));
+		chainVector = new VectorVal(new VectorType(base_type(TYPE_ANY)));
 
 		for ( int i = 0; i < num_certs; i++ ) 
 			{
diff --git a/testing/btest/Baseline/bifs.x509_verify/.stdout b/testing/btest/Baseline/bifs.x509_verify/.stdout
new file mode 100644
index 0000000000..38729453d9
--- /dev/null
+++ b/testing/btest/Baseline/bifs.x509_verify/.stdout
@@ -0,0 +1,7 @@
+Validation result: certificate has expired
+Validation result: ok
+Resulting chain:
+Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
+Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
+Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
+Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 0218611d1c..dd7d539ed0 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-10-30-16-52-11
+#open	2014-03-04-06-37-10
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -56,7 +56,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
     build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
@@ -65,6 +64,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -101,4 +103,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-10-30-16-52-11
+#close	2014-03-04-06-37-10
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 76b3f3a596..6637000867 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-01-31-22-54-38
+#open	2014-03-13-22-14-10
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -56,7 +56,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_SSL.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_SteppingStone.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Syslog.events.bif.bro
     build/scripts/base/bif/plugins/Bro_TCP.events.bif.bro
@@ -65,6 +64,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -187,6 +189,11 @@ scripts/base/init-default.bro
         scripts/base/protocols/ssl/consts.bro
         scripts/base/protocols/ssl/main.bro
         scripts/base/protocols/ssl/mozilla-ca-list.bro
+        scripts/base/protocols/ssl/files.bro
+          scripts/base/files/x509/__load__.bro
+            scripts/base/files/x509/main.bro
+              scripts/base/files/hash/__load__.bro
+                scripts/base/files/hash/main.bro
   scripts/base/protocols/http/__load__.bro
     scripts/base/protocols/http/main.bro
     scripts/base/protocols/http/entities.bro
@@ -213,8 +220,6 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/consts.bro
     scripts/base/protocols/syslog/main.bro
   scripts/base/protocols/tunnels/__load__.bro
-  scripts/base/files/hash/__load__.bro
-    scripts/base/files/hash/main.bro
   scripts/base/files/extract/__load__.bro
     scripts/base/files/extract/main.bro
   scripts/base/files/unified2/__load__.bro
@@ -222,4 +227,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-01-31-22-54-38
+#close	2014-03-13-22-14-10
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 32df4c69f2..3b04596f6f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-04-22-24-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
-1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	T
-1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	-	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	T
-#close	2014-03-04-22-24-11
+#open	2014-03-13-20-45-24
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+#close	2014-03-13-20-45-24
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
new file mode 100644
index 0000000000..827bfd97de
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
@@ -0,0 +1,21 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-13-20-45-24
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1348168976.510615	FBtbj87tgpyeDSj31	2	01	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.510615	F8TfgZ31c1dFu8Kt2k	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.514202	FVNYOh2BeQBb7MpCPe	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.514202	FwjBou1e5DbpE0eOgk	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.514202	FbYQmk4x4M4Bx3PZme	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.551554	F4SSqN31HDIrrH5Q8h	2	3792E385	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.551554	FJHp5Pf6VLQsRQK3	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.551554	FHACqa3dX9BXRV2av	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.551554	FNnDVT1NURRWeoLLN3	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.554445	FFWYVj4BcvQb35WIaf	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.554445	Fj16G835fnJgnVlKU6	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.554445	FGONoc1Nj0Ka5zlxDa	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+#close	2014-03-13-20-45-24
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
index 172cd19afa..455d8606e8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-04-22-02-50
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
-1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	-	-	-	T
-#close	2014-03-04-22-02-50
+#open	2014-03-13-20-45-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
+#close	2014-03-13-20-45-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
new file mode 100644
index 0000000000..350673c2c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-13-20-45-46
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1335538392.343624	F6wfNWn8LR755SYo7	2	36F5DA5300000000505E	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	*.gstatic.com,gstatic.com,*.metric.gstatic.com	-	-	-	-	-
+1335538392.343624	FJl60T1mOolaez9T0h	2	0B6771	CN=Google Internet Authority,O=Google Inc,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1244493807.000000	1370634207.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	0
+#close	2014-03-13-20-45-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
index 92d7e3a1ab..88f3c2126e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-04-21-57-58
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
-1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	-	-	-	handshake_failure	-	-	F
-#close	2014-03-04-21-57-58
+#open	2014-03-13-20-46-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
+#close	2014-03-13-20-46-30
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
index ed1ff6a70b..0bb8b5810d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-04-22-03-00
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	subject	issuer_subject	not_valid_before	not_valid_after	last_alert	client_subject	client_issuer_subject	established
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	time	time	string	string	string	bool
-1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	-	-	-	T
-#close	2014-03-04-22-03-00
+#open	2014-03-13-20-46-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
+#close	2014-03-13-20-46-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
new file mode 100644
index 0000000000..5aeca0e664
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-13-20-46-09
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1357328848.591964	FlnQzb2dJK4p9jXwmd	2	99FAA8037A4EB2FAEF84EB5E55D5B8C8	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.taleo.net,taleo.net	-	-	-	F	-
+1357328848.591964	FaDzX22O4j3kFF6Jqg	2	1690C329B6780607511F05B0344846CB	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	1271376000.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1357328848.591964	F9Tsjm3OdCmGGw43Yh	2	01	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	959683718.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-03-13-20-46-09
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index daa0f9f43f..4e01411971 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -7,24 +7,105 @@
 1170717505.549109 protocol_confirmation
 1170717505.549109 ssl_client_hello
 1170717505.734145 ssl_server_hello
+1170717505.735416 get_file_handle
+1170717505.735416 file_new
+1170717505.735416 file_over_new_connection
 1170717505.735416 x509_certificate
+1170717505.735416 x509_extension
+1170717505.735416 x509_ext_basic_constraints
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 file_hash
+1170717505.735416 file_hash
+1170717505.735416 file_state_remove
+1170717505.735416 get_file_handle
+1170717505.735416 file_new
+1170717505.735416 file_over_new_connection
 1170717505.735416 x509_certificate
+1170717505.735416 x509_extension
+1170717505.735416 x509_ext_basic_constraints
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 x509_extension
+1170717505.735416 file_hash
+1170717505.735416 file_hash
+1170717505.735416 file_state_remove
 1170717505.934612 ssl_established
 1170717508.515696 new_connection
 1170717508.696747 connection_established
 1170717508.697180 protocol_confirmation
 1170717508.697180 ssl_client_hello
 1170717508.881857 ssl_server_hello
+1170717508.883051 get_file_handle
+1170717508.883051 file_new
+1170717508.883051 file_over_new_connection
 1170717508.883051 x509_certificate
+1170717508.883051 x509_extension
+1170717508.883051 x509_ext_basic_constraints
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 file_hash
+1170717508.883051 file_hash
+1170717508.883051 file_state_remove
+1170717508.883051 get_file_handle
+1170717508.883051 file_new
+1170717508.883051 file_over_new_connection
 1170717508.883051 x509_certificate
+1170717508.883051 x509_extension
+1170717508.883051 x509_ext_basic_constraints
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 x509_extension
+1170717508.883051 file_hash
+1170717508.883051 file_hash
+1170717508.883051 file_state_remove
 1170717509.082241 ssl_established
 1170717511.541455 new_connection
 1170717511.722589 connection_established
 1170717511.722913 protocol_confirmation
 1170717511.722913 ssl_client_hello
 1170717511.908619 ssl_server_hello
+1170717511.909717 get_file_handle
+1170717511.909717 file_new
+1170717511.909717 file_over_new_connection
 1170717511.909717 x509_certificate
+1170717511.909717 x509_extension
+1170717511.909717 x509_ext_basic_constraints
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 file_hash
+1170717511.909717 file_hash
+1170717511.909717 file_state_remove
+1170717511.909717 get_file_handle
+1170717511.909717 file_new
+1170717511.909717 file_over_new_connection
 1170717511.909717 x509_certificate
+1170717511.909717 x509_extension
+1170717511.909717 x509_ext_basic_constraints
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 x509_extension
+1170717511.909717 file_hash
+1170717511.909717 file_hash
+1170717511.909717 file_state_remove
 1170717512.108799 ssl_established
 1170717528.851698 ChecksumOffloading::check
 1170717528.851698 connection_state_remove
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 59c9d6d026..f383249428 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -14,7 +14,7 @@
                   [2] aid: count         = 3
 
 1170717505.549109 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 2
                   [2] possible_ts: time  = 0.0
                   [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
@@ -22,7 +22,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717513.0
                   [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
@@ -30,24 +30,130 @@
                   [5] cipher: count      = 4
                   [6] comp_method: count = 0
 
-1170717505.735416 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
-                  [3] chain_idx: count   = 0
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
+1170717505.735416 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717505.735416 file_new
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717505.735416 file_over_new_connection
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
 1170717505.735416 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
-                  [3] chain_idx: count   = 1
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
+
+1170717505.735416 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
+
+1170717505.735416 file_hash
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
+
+1170717505.735416 file_hash
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
+
+1170717505.735416 file_state_remove
+                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+
+1170717505.735416 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717505.735416 file_new
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717505.735416 file_over_new_connection
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717505.735416 x509_certificate
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
+
+1170717505.735416 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+
+1170717505.735416 x509_extension
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
+
+1170717505.735416 file_hash
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
+
+1170717505.735416 file_hash
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
+
+1170717505.735416 file_state_remove
+                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717508.515696 new_connection
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717508.515696, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -61,7 +167,7 @@
                   [2] aid: count         = 7
 
 1170717508.697180 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486404.0
                   [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
@@ -69,7 +175,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717516.0
                   [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
@@ -77,24 +183,130 @@
                   [5] cipher: count      = 4
                   [6] comp_method: count = 0
 
-1170717508.883051 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
-                  [3] chain_idx: count   = 0
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
+1170717508.883051 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717508.883051 file_new
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717508.883051 file_over_new_connection
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
 1170717508.883051 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
-                  [3] chain_idx: count   = 1
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
+
+1170717508.883051 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
+
+1170717508.883051 file_hash
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
+
+1170717508.883051 file_hash
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
+
+1170717508.883051 file_state_remove
+                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+
+1170717508.883051 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717508.883051 file_new
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717508.883051 file_over_new_connection
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717508.883051 x509_certificate
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
+
+1170717508.883051 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+
+1170717508.883051 x509_extension
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
+
+1170717508.883051 file_hash
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
+
+1170717508.883051 file_hash
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
+
+1170717508.883051 file_state_remove
+                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717511.541455 new_connection
                   [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717511.541455, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -108,7 +320,7 @@
                   [2] aid: count         = 11
 
 1170717511.722913 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486407.0
                   [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
@@ -116,7 +328,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717519.0
                   [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
@@ -124,38 +336,144 @@
                   [5] cipher: count      = 4
                   [6] comp_method: count = 0
 
-1170717511.909717 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0]
-                  [3] chain_idx: count   = 0
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4
+1170717511.909717 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717511.909717 file_new
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717511.909717 file_over_new_connection
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
 1170717511.909717 x509_certificate
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] is_orig: bool      = F
-                  [2] cert: X509         = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0]
-                  [3] chain_idx: count   = 1
-                  [4] chain_len: count   = 2
-                  [5] der_cert: string   = 0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
+
+1170717511.909717 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
+
+1170717511.909717 file_hash
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
+
+1170717511.909717 file_hash
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
+
+1170717511.909717 file_state_remove
+                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
+
+1170717511.909717 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SSL
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717511.909717 file_new
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+
+1170717511.909717 file_over_new_connection
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1170717511.909717 x509_certificate
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] cert_ref: opaque of x509 = <no value description>
+                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
+
+1170717511.909717 x509_ext_basic_constraints
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+
+1170717511.909717 x509_extension
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
+
+1170717511.909717 file_hash
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
+
+1170717511.909717 file_hash
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
+
+1170717511.909717 file_state_remove
+                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717528.851698 ChecksumOffloading::check
 1170717528.851698 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=6012, state=5, num_pkts=61, num_bytes_ip=9160, flow_label=0], resp=[size=121583, state=5, num_pkts=101, num_bytes_ip=126847, flow_label=0], start_time=1170717508.515696, duration=3.001729, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFRfR, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=6012, state=5, num_pkts=61, num_bytes_ip=9160, flow_label=0], resp=[size=121583, state=5, num_pkts=101, num_bytes_ip=126847, flow_label=0], start_time=1170717508.515696, duration=3.001729, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFRfR, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 net_done
                   [0] t: time            = 1170717531.882302
 
 1170717531.882302 filter_change_tracking
 1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=4879, state=5, num_pkts=32, num_bytes_ip=6555, flow_label=0], resp=[size=32965, state=6, num_pkts=36, num_bytes_ip=34813, flow_label=0], start_time=1170717505.366729, duration=23.667015, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFr, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=4879, state=5, num_pkts=32, num_bytes_ip=6555, flow_label=0], resp=[size=32965, state=6, num_pkts=36, num_bytes_ip=34813, flow_label=0], start_time=1170717505.366729, duration=23.667015, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFr, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=842, state=5, num_pkts=11, num_bytes_ip=1414, flow_label=0], resp=[size=3613, state=5, num_pkts=11, num_bytes_ip=4197, flow_label=0], start_time=1170717511.541455, duration=20.340781, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFfR, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=842, state=5, num_pkts=11, num_bytes_ip=1414, flow_label=0], resp=[size=3613, state=5, num_pkts=11, num_bytes_ip=4197, flow_label=0], start_time=1170717511.541455, duration=20.340781, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFfR, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717531.882302 bro_done
 1170717531.882302 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
index b37425ac1c..1cab8fa5f2 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
@@ -1,5 +1,5 @@
 1170717505.549109 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 2
                   [2] possible_ts: time  = 0.0
                   [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
@@ -7,7 +7,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717513.0
                   [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
@@ -16,10 +16,10 @@
                   [6] comp_method: count = 0
 
 1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717508.697180 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486404.0
                   [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
@@ -27,7 +27,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717516.0
                   [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
@@ -36,10 +36,10 @@
                   [6] comp_method: count = 0
 
 1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1170717511.722913 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 2486407.0
                   [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
@@ -47,7 +47,7 @@
                   [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
 
 1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=<uninitialized>, issuer_subject=<uninitialized>, not_valid_before=<uninitialized>, not_valid_after=<uninitialized>, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=<uninitialized>, cert_chain=[], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 769
                   [2] possible_ts: time  = 1170717519.0
                   [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
@@ -56,5 +56,5 @@
                   [6] comp_method: count = 0
 
 1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer_subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, last_alert=<uninitialized>, client_subject=<uninitialized>, client_issuer_subject=<uninitialized>, cert=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, cert_chain=[0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#], client_cert=<uninitialized>, client_cert_chain=[], analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
new file mode 100644
index 0000000000..2368f95505
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-03-13-21-37-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
+1394745603.293028	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1394745619.197766	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-03-13-21-37-53
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem b/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem
index 1767a32095..086a72e1fa 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.extract-certs-pem/certs-remote.pem
@@ -1,34 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhk
-iG9w0BAQUFADCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3Qg
-TmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBg
-NVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENB
-IC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS
-9DUFMgSW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5
-NyBWZXJpU2lnbjAeFw0wNjExMTQwMDAwMDBaFw0wNzExMTQyMz
-U5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJu
-MREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBBbG
-xpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21i
-SDEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2
-lnbi5jb20vcnBhIChjKTAwMR8wHQYDVQQDFBZ3d3cuZHJlc2Ru
-ZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
-KBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIylad
-TJJY4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xY
-O6mmcI/Sy6owiU8LMfFij2BWZbv3+oWfq+mWs2YrhuxoNHU2MP
-WrRRwYioVbnUMW09KkqVCtF7hwIDAQABo4IBeTCCAXUwCQYDVR
-0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmgN4Y1
-aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYX
-Rpb25hbFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhF
-AQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2
-lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG+EIEAQYIKwYB
-BQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBg
-EFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsG
-AQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBw
-YFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6
-Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSI
-b3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIK
-KZKabarVsWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEF
-h2z+fWp8y72yXuQl3L8HSr0lTl6LpRD6TDPjT6UvKg5nr0j9x2
-Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
+MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhkiG9w0BAQUFADCB
+ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
+aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
+dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
+SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
+NjExMTQwMDAwMDBaFw0wNzExMTQyMzU5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0G
+A1UECBMGQmF5ZXJuMREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBB
+bGxpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21iSDEzMDEGA1UE
+CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMR8w
+HQYDVQQDFBZ3d3cuZHJlc2RuZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUA
+A4GNADCBiQKBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIyladTJJY
+4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xYO6mmcI/Sy6owiU8LMf
+Fij2BWZbv3+oWfq+mWs2YrhuxoNHU2MPWrRRwYioVbnUMW09KkqVCtF7hwIDAQAB
+o4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmg
+N4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNl
+cnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
+FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG
++EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
+BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6Fd
+oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU
+SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0G
+CSqGSIb3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIKKZKabarV
+sWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEFh2z+fWp8y72yXuQl3L8HSr
+0lTl6LpRD6TDPjT6UvKg5nr0j9x2Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
 -----END CERTIFICATE-----
-
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/known_certs.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/known_certs.log
new file mode 100644
index 0000000000..98a63a358c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/known_certs.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_certs
+#open	2014-03-13-21-47-24
+#fields	ts	host	port_num	subject	issuer_subject	serial
+#types	time	addr	port	string	string	string
+1394747126.871404	74.125.239.129	443	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	4A2C8628C1010633
+#close	2014-03-13-21-47-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
new file mode 100644
index 0000000000..ec0a90929b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-13-21-47-24
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-03-13-21-47-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
new file mode 100644
index 0000000000..df68558d9b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-13-21-47-24
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1394747126.862409	FlaIzV19yTmBYwWwc6	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747126.862409	F0BeiV3cMsGkNML0P2	2	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1394747126.862409	F6PfYi2WUoPdIJrhpg	2	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+1394747129.512954	FOye6a4kt8a7QChqw3	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747129.512954	FytlLr3jOQenFAVtYi	2	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1394747129.512954	FEmnxy4DGbxkmtQJS1	2	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-03-13-21-47-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
new file mode 100644
index 0000000000..16fcee9111
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-03-13-21-53-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
+1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
+#close	2014-03-13-21-53-03
diff --git a/testing/btest/Traces/tls/google-duplicate.trace b/testing/btest/Traces/tls/google-duplicate.trace
new file mode 100644
index 0000000000000000000000000000000000000000..e78fb01a807e64139133da59aae12be9119527ba
GIT binary patch
literal 14122
zcmeHuc{o+w`~E&7;h4vSgESboF%l_B^cspHiVOz_Ifg@2rjwKuDMLy{deKN4D5;&w
zluD)ELYk$bB#Bq@UF#Tfkk22#_rG7~y7qOQwd{SbwVvnR_p|r9kA@q?Ie3JKjC=+M
z5d;SsJ+l<-ws-L%*5ErlkXbw4?T#&=dM&G6!Ht+9h{<BI31UL-3&jeEX_k?nW83fH
z$`p8W?BK~o_`yL<Nd&<YN#}6{0uhJf=8>wI{~i8~h#x{H@=_2>(1ynl?$8))^aZIK
z5JZ>UB@B__2)MHLd+qr2X<!8VY~eiB+4I@x=|ns?PZ(uOK12s2k>R{80rFyi3Xci%
z*4Y~i=Y5<!Zr=6)ohL?+s@2p4A}}=H0f-C{`vD>ggasbs5pm3j42XyoO^PT<)#54O
zL=-3BaE3SpH;+J=?t>MS{dJ^RM>6f(ler=n-pH%T^L(i<q+53t<-ahZB1krdVyf62
zY$hg(@n8y=Jd%qXLHrP3!~oGpb|Bj^EleF##%5sx7zsIq7$Ley943r$V>2*mL>v*p
zC>R0Z!89-xY&NEdiD1((IZPHgiX29~5felk(LxR&nINT0FilJin~N!7{1_3*LKYwz
zNIJ3z;lhM4E{qSuBP2i+F+>=dhKM3U2sc7T2*@BF#AE})ix3G24v+94IslL#p&(MA
zj}MUqC-Z=5NU%@m0vCz_5E1|p0X)M400Bf0fGL8&QV=R4OU9A$WC96C!jk}Rh<GA_
zfFs}u1UwFp$HTL6IG7P0g<m<Iz#g5{05*H1#<7P-f%j-?j37R(S8FIEAit*pa|R${
z+iVI_M?%=gctq0G)If;XzWaBG)IFn!XCR_Dfq*OqOgAPF>=b78$b7wX^+L7(yG{Fi
z@@!X33q@XBXzNX@&Hd>Z6OCXR2qHcR2!V`-5rzXU6~OQ}^CJ9D5dKF9mnq8PT8Og9
zv$NUZ;I>qapK~2Y)<!AhY0B}-;=faHI1&j#Ei`%2X=K7GB3T5#%1%=R6@m>O5gu~}
z!`q)mwFvOgR6-SDCqZP!XeW~v96)1I7lkr?7{PRA1l3#%m6f1q>Y!R$x|+J02AcX#
z?53`k9?JeWp<a^?#m&cK>gG@PVgv`!-898fQ8*MAAH|9h8o+d;2T)hjX&Xo9#W!|d
zVyFmvUVMDY>fY?>s(Uatpe&ri*j3_42!VwYKtMkao`u69PdE0Tv&)Z2$T#BJa$50V
z?@wdzPl0Y%6D#tFHP^+fF1_FqC`fpy_Wi=Q-m)7ij0&_xnyOxOZ54y7iC(L@zdyp*
za@{}f63u0D1`0)<sh_{@%d7h<cjnwJ_L!H@vm=b^4yo_n1T@p%tKfCY0A&vnZIJ2o
z5z7!gXDUn{aIso(^V#9VvYUJfCb^5wg!g46+FYU#C5Qo*A1{WcGyh)x<hbM`DS;n1
z1|6jZN?R6bv~@qs(s*^hRp|T@k$}X$;KQ$`+kak0-d4q(f7mUb&-6{Nj^3*|oo0Ks
zM>5Y|t(_LFv%BuAo@cw?Y)xNo?JZkxTpT>#=3M#Q^0syDPK}BbJOS`0mqp}5SwwDB
z282*Xi3kJFtwIKz;3D8gzu{39{uMkyh{(b}1&v26j##rO%Ia<bp1};dCk#DH95e$1
zX#w8!0NR+8u!NP>J^UG=o@4vKxkE`)a|>|uk6_Y0Lf9C*BmL?gZmcm4e-{6*zcAG4
z0i12$K+blkA4_1&`5V;Tg2#7+j_YtAe})HR+!-6f$8|8rUlJBDX3n0pF%4SCn1)yI
zn1)a2m<F9WrV-#jrV+@|VE&qkTOb{TE`TLEvR;si4YXhn8atjsBfVjCPa1>W1+wNH
z!gK>6XE%93GmNRp{tnU`8tmai4`8<hVatD9)*=|8%usilS^&d?!SJIGjRGKt``H(Q
z<PJA!o}nIKB*qXR$S27325<IBykn_DgncYBpoF@&KTC8{YViEJ%UQxh-#M1bGiK`C
z?D5szK?=rBOmwnop*};5huWSzXG(1kVr%;@PHjJ!I#Mmpdva<!i3^7#u0@?tm63Z2
z#mCF}Fqwh#H8cYK=wm{wVQ#U=Tua>}m^tQT+~~<3{&ZRZGemRj6%3D%z@ZzMpD0cg
zb)fYd&8-PQ-Ck1M{Xe}{`%XzQM)~0FD}uuf67eX4%E6W*Q4$r85w(0q7MH%#<8vYG
zTkOR$_vx3NVl_|+cmkCui1LFgd4M1gagQVLBpiyuKgbd1qO(z@Y{hK((TV+L75-y2
z7*rad!8jy=l9Y6vR;e%GYAKw0SpV|plJ4);&U<C0-=-uxyxHH_Pl;7Ax>?&qed*xz
zN&W6A;XscI>y!9$rx%4T@lxgg+lne^9yR06+2)4W{C}CZPiZ-xPJCJJ+HBMR)?Ddp
zOlo$2N9rZ1Tv5T^?vHu#mmDbmTNGPV+zh%;%vrRf#w$6e>tXAfhY##&YOKvZIXeT=
z<}I^*xS`h|#cuGxJ*B(nbQaHC?`0Eo(D+5s8ka9Uxm{cY#xq?LzYQ%rw!6jE8VHBo
zrC+*`I_vGBs%gz~IQgi-2>V@r+-(WWLycE(P02j6nL4u;r{9lUGV@yz$*{*xi)4B7
zvHG>(&+lr&9fGDIKyX<^A`sH{p}I`K&!>+I6uOwRP7aqu9ubN;jbR@g8p4D{SzS{a
zl>#XNRatnn-`t<!?&eQ5UBs@%+Ncf+Yq74bF0946ps6$5{4dM?|0=gx%EXOppV+3%
zC+D(WJh5GNC1K$gsle$wmPWluzV#*HuKXvbpKg>AttAQBOkO*iRmbkK+|xdNT;p2#
zk`yC+(<OD`73XF8-FDw+w)UsI7rS|{+m6z0`QwOvOXSsTKgM>f-d1i7N-$~U4q4$J
zJve_s{ycJ0`EnuR$H<v2t$jZ<gZfh+t^cZSS-AMY?GHD7rx(}RJri4=C|51zCU@sh
zfw6~5oGzUfS1omGsY0(^+SS)FmV%Ya?UysCLRAKtg2e1jw@qnEyR27+zPi}KT`T(I
zu7dA5>w8NH85x8q>}<>CLNo1qmyLr;TDp~#Dk!=MhYt1g3q>Tz&bw8Z6igo~x3T?b
zY%j;{hi%&Lvpb>xB*~LcDDp%kt+ckzdd$r{>D?&|Z$kFX%#D)4Jq;eHQGVDb0B>+2
zc+?}K^M`I!ZB!H0$X3f%iJv<xHy%*QX$&T$5Y%4{&=I2H&Gcro1_+NoYBZu!K()Z-
zsM<&y#l_1H!;D;@2GxfH@b}`u`OwLh0=<98F+#IXD~le~-*`?jJJhl4Y}D4pmxCK+
zpCsv#GhTG28O|G!UhMc&q1vxp-{rocQh@MB7w@p8CVLu1tHUWBX<m&<@r;<9%d550
z;+va&Yl*v@qkFE^F}4vLZ}_Ybxie7xJ;Eqcw{vxF`HM9jP}|Faw*UTZFYYmXH@kS2
z^WE%dYCAqhHbzh`zaBjC554Uf62RNQ8HiW|5Y<6HJSMyeP*d5}qC=UpTI9&GtA!*!
zEybR*TG%X^mU~!#Q_s@-GQx*!uGX9USoM?avY>Is>hkmzn;8zuO-E0pH}7Irq+RU{
zND~>9=v;8BSa5e;NPk;0zOu7l`&^pg>x$bxjv-A2Gu;izx`!yowadc^d({65UuQc%
zw&7EDb)bH8ai90U+fCNFVJnjTw))*6&98l#PYVB0+n8Ff%54-S9#NfbOPy)29fS~K
zQ5GQ*$W`mGTnU%8j+ZNIPPqb=1IiMQ2$xw<DBa5~TvH9yGtk2;GIO|xYDe=34W>~|
zX~9go7acqv(0;v1K<PrYP+cuepjY4nrAr^xA8r08^7y|rtFcbf10Cp=P@KLx%K7;M
zfBiQ>CE+OzS8|^G)mvbCk?`J1o{M`&qoanG!Q66Ec;X@bHd2XiRM4^3o9pw6KF7RC
zm?Lml>2b%_ucz};s`l3`medtJbb9~Nz3Mi#U$&cG7f*9gv;CZ)7PHCWbk`?WzX!<f
zOQOA^V!BVUrMa7ft5dGktWvpCpJALe%d_tJ-K|nVwbrc-k2W8dy0faKy8VHRzTMlk
zHoMe*+A8Y(@M^uCbj&~sDM`Z{r10|p)K|YRLpso7Wy}!Zk||V`O<r&C>R&xO5rYPo
zSt?CN1)}9zA0-KMRuY5Wp42vasb9vW7w4W8@j)EzcEwcMg8bg}4Qo~>8r#94S<6~|
z`cxhir~PC8M3E|JqrHF6k%lpvHL0WtKs{n>76}Er8H4|?f)&ChkB1vuu&g0Cm1vHd
zp{8Ua_==#0sKJP8;c?<>P_;t9!`8-)8#%;EBbXM#0MCoG5b!OK5khA&f+NOpn-Cj|
zguN6FuwE`M9FLNVW4Z5ja#vLaMR|Ry=x8vM8|>_?wtj4?UvvqLl&oL1^{DS{J)x|&
zWnQ@(qDw^@%zq|2tqu8c=Bc!nl>W&K9nll%4?gD35aqVGSoSvM^H#l&GOHQ2jaNcE
z_PmMSY^-qGh^xa@pPBWVU~8RIxc`$|SKLBj@LG?v;zMv21VmyHao`=FanIK?t?xYb
z9nW8vU$^>_x8bbbu!xE>r)et;q&HV#T?)J3a5Z}wDU0TO&-qrh=w&Q9XW=2yt~J`x
zeZg6vXdur1T~~CiKS_9f<$bSBOnBM8^Y|jSo!?K**w*;`+1Y~Q{XMt%`qVpmNKfay
z=E>>W*|R(~R4~tZ?fi6i*QLF!M?*a$UtITIceAwXqRaE|nSUK~mFQS<__9g{=_=9X
zej<0&t(Ws=N9;|ua+h&ABYQTepJrxs``YY?%KGLfy_KQ=wpM9KkhGzC)&cdr1-38X
zF<w29lGI@Mto>y#r+VfM?aTo6#9nZ!XIFJ%QK90ROSfn3lk@UD`rNO`T5YY%v<TAa
zu6$7`k5hO5UTwT}UZ|C3zw|Mwh2~1W8=IX^=qs!|ncn%P?X^M5?DR|hdbUQHdpES(
zuFqe`+ZF#}TZ)UW@)wH%W!5}Z{f9*zgOcqT6`scFB9^7v6_g<6E%Sr@TbWL92ZzWH
z76BLaW6C0PM;;cL0I!KfCJ$^W%ALI}FtNyp&Yh}kJ+6m{o+XnY?goe-YQZ+^__9UQ
zpdc8SFFeL?QX<7Ife>+R=A?*{RHQ0z6p;uEAzc1aL9mIsh?pJu&bczRS*%>h%p)gQ
zvHsG{a@641_Q-^<9j=lLex%#Ozu{DG6W*}NPxiv!(j*_Vj#8(ed-x7tLkAEuwUwd(
zioKPE%$Y{ZboaOuG0VJ`Ag_MCPENj|BJ0|{3R~9AN0)f2%ud9ur=EA@nfDOJynQ(Z
znFIF3;4z*^xap}OY$B<TBhqdK-dy1rK%|=eqeQwWRbxnm>p27VxlbUt1PnR0)}~mU
z%k|T7Johm%LTk&B#WkJIygSPC7gJgag_sp4BKhi3mMhMDmpT~T)ub%k&d{2t_WJNi
z?x&T7H$1=mtDg}TusnR$8ljS>ZY9b6!Hn-qrtOODGo)5m9Xxg*e(=;@e}|XHPkL5{
zn>(L6XRE4RDV8i&w76j(BOlGktM|(^S!GaZKCd>_JIg*Nh;pauaqZ)s9+EQ`T*~q}
z_u+v;@xp&90>{J+rWAg}b~t-Ft;90p+>WdexuGh$zO=jOgL_A-O*o_P<&J}N7`K&w
zO~tH4NyvjD1}6`4h1>D@A%Iz5s-KMVfEV!KVlP0XN8=DLFgiRYFw3!s&DEXzCPf6y
zG5}krLtI^WA0kSCOvnurVfL}uFiD{+JV{p;9m~n<@6s&SynD>J`aK-=d>Rh<3<iY9
z`1~U;Q<?1idvWGJKLq4o59Xf$E`y_nQDS#U)hxUZM+N)v><{k5nJO_df2-ocvfFCg
z*ERq1L3Dk(`1@07ioJG9#g`&FtjgEhVjqqQ5&q&TJ=<scz-3?D3dXiUHQl#6N*{PH
zQ7X24#$y_HC*G{Sc0>Qc`8`J#3$9m<ySH?03Ad?gVz;lX|AxM8%V(1hdpDj9m2A9X
zK6`<m$KB60bDvz``)+%gRqEt5=Sj<a<?d{mU3`MV`6X@3E^g{rN;Lf1XYXd&Tm_e3
z3YI_eTsvX;I;o*>`Q!bO0xEm?Lin_%TF&J|MAh_Ph!fJN^EwF<!=Z0n8ui-o1yn$c
zZ&yL~htv2N1{ETrQzEvWhlutMCqa~FBhn@!egueaAW86;Fh{%d`ypa{{iKM1YHcSu
z5ye2#rw>zY&ikujg)bsqcdvPxID3YLMVi!ZxCE|@se-aB91i$ZVBCPKKv3jkgs8|>
zU_*@$3gz@K#7Pnt#!j3NCvOYnLE=_JYoh7M5F!Y165#FQJ}^g(BV1D$al!#`j&u1(
z=U9&`+tjo94vZi);=Y3ID^4TMYzh1uG~ysS|3$7Tj5t{zIA0&hG4rhtY7@u=Biw~X
zT;QBvMx2SU>Uyafvn9}ogUAj5d4$3flBtu^4d<QtOE-q*eHWk~fJWTR+as|xvw+AD
zQM`m}3M1~jF+?<-HZBrFh`@*|R^db(W5n%MKOtGeZDEx!5v>_lsvajxUhC6P`{Tz-
zX*H=6;qNy8G2$jM;$TLE?)=K}M7GP)+3b-U$DRY5dLsED+ZQPeWd!8c3oyq5A~rnW
zn!<>a^@E7+`+kQ=E*wSlhKR84|1#qGlIT|Dlm&JQ{Dn1IgIZx3&fFKx4eXd2y$ug;
z{4wJG7;%4$IB5O+G2;FhaqyP{|EUoNwVnQON^SRNYx~&E0r0FLHglv}3=F^Zf@;Cm
z_CH44$WK207;%4$xIac5+&3Qf!6)6dX8$aP?W+GV;{IDB4r+TM(DvWI?dc1`cQZmb
z=et=Xe^A@>Ghj0yU-H}NyO|BtcZhfyApYKnlVw*650vvwVEP$$wE#OnxAt<r3H&kQ
zm=S-BxIaeRl)oJK|JsOi*#77})=n|27F$|)BiF(8A@jwTvtH#cS@$K1tM_Vu@;!V&
zdyqWuc<zJdXbT;Oz0Zk!$6pH^I5S^>%B*Wy)(MR`Bhzx0%YkND{xjc}vsS3iNMl@7
zd{kN2KoL6rI>~vr`xRgP5cz7!?#}%lo0oa-n)%Udo^<)<O2sYF3MH~w^ui0V{aX4>
zc%|bv->IxK+OWv-+EJzvN!<UbPlosEO@qFMpW`y_>wR+nahxxzP;h?wEN$^;dKxcI
zZoBaA9J<MhxFGeE#@Dw{J<EW4{@#d_W&gn5dq1ao$_?$z0QHpH!l|CmDl)S!GhI6^
zVz)b8*mH8O*qNZ~uB-e)qG{*+k6B7iS2z&tv~{OmrhU3u*)gTlH71wy?m3)HT(|$W
zr>H`fne~b0PwI0nT)$t#v@@f1xGx_FT9b3*{GpwuuXnr^W13V)nK}#Uxt;rrZ-_C%
zRQM~NzjhPr$lG`*u6opngNtgNvdECv!Xl%qI<d&efh|S3vm)@n8`!_?HybT7@1{ho
zD}{&w_a-7zWdPy_5z~o?3mUl)3~aE%W5Tv)@zyekSYkaXBG|(g9o_&2n^(555RNh8
zuH;v)C%Ard&-`bvou0XTuArmI-5ZbO9By8bA2=0mdbR!Q&W#Fu4hcC*9(G7nwQAFT
zO5n#74apbN`<zzpn3puhP<njVYg<FzTbEMmiQ+4^feTOPOTJpJE@*W<=x<rE4RWXI
zu5ZzH5O|XUV{XySHH8r;%l@ssw+<(fs4}1o?}A25Zu2OS7;sJh!-%`MBxkO#qhqkR
z@Tm)>yzkPsZe99L_)a=4Q$Uq)ThmKI!@X{0vHgz~52DMOTO4@eBY6lx_?H0=#Oeh$
z>%4LwU_MSqxN5ce)D5=>@@BIt*R&fcw>#1A?rr57&^cVv<lb>%xy_6ZZwu!(TAu$9
zXKJ(TU=_B?F0FW{SU&$lnL9D1LMh2iB1K0SpOot_-eVu0kT)i7Fs1O599XGPU?KhL
z`NDa5wR=qerUrT(H(J)ublIEy_*imABaB-zh}-WUh~DW#9@yKA<H4?=HhBVI))%3g
zQD&_MJYf6_5C<xGr!eB~Z-j{S_DK-|v$Clph?Y7Kk!{2c6Tww1(f)}{kmi!sWu7ui
zW%l1+Ze>9z{^|!uO$Psg@OvXpmH}Vdz5O}!FHZpZFM|1hlr)lmO-HF3OC1g)E^za7
zS7%LS@#yzk&^4(8*PDD>Y6<yPm#eZOgh@Y$x|y20mmaDQ>X7dZX*J1Xl3cttzI_%D
zbIDZKeqTH{musK2lyDv;>NdKMpVA(pQzjRGO}Gd%I?b)MXUUG1tkAYK&ob27qXKja
z>`Z0E%w=S~N;->X$QI8y9}?E)BON;3pe<=lXUzQbO-E`~aV?m(wS4Jz-gxVGAFOy~
zde3RW<?jW{A4%gRJKVtCoam3p7qOQQjJTP*IF}C*-;Y6@AP_ps2{4VFapTfh1c*@t
zi1CdJI4(mXW@%tztmz05+owd-)`f`Nc9S5UWh2g>h{$}#JB1NvWdspFsZ5FpsAe~u
zbdYfN9N9+PFxA#8KaXv@9CAzXbEauop^}KMMJHUsMlj$=m?s8BIuQ;iH!yC%dmt!h
rp%F*^F>wj;UB3_~NgVrkd_EH6czYHkt{z$wGl2yO!wf>~0+;cBs*Zrj

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ssl.v3.trace b/testing/btest/Traces/tls/ssl.v3.trace
similarity index 100%
rename from testing/btest/Traces/ssl.v3.trace
rename to testing/btest/Traces/tls/ssl.v3.trace
diff --git a/testing/btest/Traces/tls-1.2-handshake-failure.trace b/testing/btest/Traces/tls/tls-1.2-handshake-failure.trace
similarity index 100%
rename from testing/btest/Traces/tls-1.2-handshake-failure.trace
rename to testing/btest/Traces/tls/tls-1.2-handshake-failure.trace
diff --git a/testing/btest/Traces/tls-conn-with-extensions.trace b/testing/btest/Traces/tls/tls-conn-with-extensions.trace
similarity index 100%
rename from testing/btest/Traces/tls-conn-with-extensions.trace
rename to testing/btest/Traces/tls/tls-conn-with-extensions.trace
diff --git a/testing/btest/Traces/tls/tls-expired-cert.trace b/testing/btest/Traces/tls/tls-expired-cert.trace
new file mode 100644
index 0000000000000000000000000000000000000000..2c26b52b3377417eb7240780f3b71fbfd06888d3
GIT binary patch
literal 14054
zcmeHt2{cyU`|o)N^E}VInKC=3jLDb`$q+&+^E_lIL&=n=&>$s*l$2ynhUygwNoiCe
z3L#Mv6>;}|#W(Wp_y6C!*1hZAbz5t%yyu+#dG<5x&vW+koTm+CxmW~`EdHCHM-UA7
zfn6hLDbGran1a9IKtvPXCq)+!+%~nEQzH5ZqGh>B3(+DUyGty<pR#f4q8^RF)H>Pf
zcEN{Bu=DdrT>uK6tOA3>;V~FWYOXR|2fT;JE}-u^NRJqS-*7D8F32FEYXAX=B)JVU
zM1~SDwWASLw~t!@3Eer&D#v=Q7trxoN^15K!fg;8NFsyl{sxeB04f}RtXr|-I9zv9
z!isfw19ZzMMuMd1dtd?5dhr1e86u{~(<3p!EO4wu!~~B!LqzjEt0Hm|B%RuqBeLT#
z7<CMSQO4m;y^r{`NsY)JYC@dap2e9qn#!C$)X(wWIaNH^O-z>xL2`&FQHm%=6eh9~
zsfmKbHAo(kjd&woh$^CjBp`=~@<bV;1W}a8KqN!5koAZX5=UevQWANIJP13&LZl<&
z5Ne_<QIfcpC`4o-QV|7+{K$Fa9O4d)tboWPXOVQ^Qaz#^QJN@D6d}?R@kl13fyg3h
zh&Dn&WFk@!X^B{b3<L@r!i-QMtOyfAiI5{WWF8A_;)~EAcpQSkBGiZ?0HjCg5H4_y
z7U2XBQ-fu2kRGQ16WIU=8317cafSr|3<x6t69R^%LkI{zIffidjw8d6VaY(;;IVid
z4uiwua99i$i-k{PFgV~5`Wu)fAO8_Oij|jO^yCJvh#pHPTYbJLM$DjY<AO(ke<!)h
z@Bt7}`wa#eAwx)GB_df@WdTIYX!$op0m&uADToMsj3{9dL=K0s6kLN#G#y>%TjS^D
z8=9YMICJd;8JjTCs)hcNkU!Nu1b7mmng;=aKr?`uRJ}9^RTo0_62X5&WAMXh46Y-G
zWC12*BDuhrs768VsntF*#XmQL(vee1#BYk9ro&*!$PhF@js~S7$64XYS+E8=ay%#(
z{6WdWY!K+`80;EI*zD-%?BN;&{*+@x>ETTZ779y8A2<I%7ddW}6JDWaVba~Qd5hi_
zg042f#M9R^*wsaj9c6|0a4dAc?pa!zfcq#v2c4V(Dvv6nq<?ncry{C=D#|M;sVb@3
zp=NSxPyslThJ{nl-`CO8kD%-C7aZvCL$G%A@pJ*Ja*<;}nHC<Q{s;UwiF^0%l?e*)
zbn%e!4|GRkFoM6UjUhvDF&G8}T&KpyU@*u%>RhyaKs)utYb_6fHZQfi84_Lfxsn?q
zC!3F_8eaGEAF^(fxNy|)QepHin&{xVG^(j|Z99%F%wsI|Cv%KVXR7y!m#ufqqM%k^
z=Xy>+@XqT}>RT^UPP~c>42zO-#$<jpI+!19*jVR8HE8rHu6U+Rh`X}aYrle(zsGTh
zeb{X5RMo><JO-Uyk98#M_SfcyR5iZpm1Q_?=kOrL`D;uqGMVw|-pMV3g9m%C$NXO<
zH+C4MaE)K9I!J%&+UqM%i#6{SMGJ-r?t0Ms#%?c_FX3u!Z8s(-IpK1vn$EPeZ$@Fg
zG84UbbMD7?au%JT7g4k5cE$Rcj%!=9>WAnkE@DCOVe(=ynZP1vNVew_!gHeRQLH@P
zHw6wGa;9!owyGd-d{nO9%ef!r1D5Bb$Ft*EGw&RG?^)PzvnPRHeZqlZLxs-Mc2bP+
zF<>zBcsveEmV?s5$64TSEQ%~l7Qw^dpp+yBAxMG4Ed7N=x4?%9_)X|WRE?YlJb=fP
z$$_m*fl8v{i_c*(?0g=<!2v;Pva&(0&LM%WGS2?K{x1ITKUrNfOO%qF+&!8WgT<gK
z5KsUwhsvVTIg&Zz@oV8sFwr^C=hrM}$Ax*M2nIo_t1Sa=qMnQ5Fc`c8YL6-`{zkFC
zfdu~zBp4N5nuLkx{3Y4nIVfP+EK~?Ck_pd?a>vju3*8v1f1-H##sv|KLButC*G_IT
zLFY`E+I?D-Mr#I*d70i@jE2xWL)5Lt%0EQ&+~1rYu7@$Gd_FIq@j1Rw$|B}1Reo|^
z*!B4vigh6gMKgs~`Rs{)cKo9|@^Ol1yX+WEZVMaxcaZPZ75!doLO*{ftkr+>t*lI(
z%|!cId`4fBsLxscylvh4Q;mJC@GtDHosU(${`T|dySe#~+$BfyP98Y@J<=d!hGS=1
zt$)}!jY5OsUfmWwvt#dO+SUp_nxhFwj2C{`=NxOWXH;=h=eFQ)_1+@4C8;!0JKcwM
zT(iGDQ7}rUUN>Awp(3l|`aScICNG<WkfS3pq|M>>w@&@Q-DB)rC;4WH_D}93_(8yT
zZvo%6F7O?rU(KhKu-G42eP#Y>vwml8|Gw`b-TD7Ucb58ctSB=uJ>V}IZ5NlVfgwS`
z1Z^ETQQ$Tb|L`qc)ei*(=;!DIncwj5%zv50{LRamKW%0)m(-%mnV+zAs~N%6HF&Ro
zptqbLN`R7aEL?v`hSX}|?;lL!PdQXYUSWwp<xx~g0hL1)RTNb0{tqzvf8y7tk}|xH
z^S&LhV%6%I*6WV5nm!m|<>q;5!1jY{?Btg{rEU#dOwXL8s?sX&;K*U7Dv0V6cRr0h
zDwjo#?X|V9{fJhMM>-T!nkF5&qiW55CMY$Ox+Q;$SXF_d@@tVbr5fo|z08_HBQEmU
zI^-H$oz(bn6B|Rx$9uycA$2=`B#*V->1Xj1+1aIWAtA5J@Lt_LhHfrmY2e4uag|tV
zeGZ<M{aGL16iP|ug<P|b;Y)~3YNvFibrZEA%cXrYND)U9m)BhQ?3BUnuC6)0S?ozY
zOzU7}l{Y(zaTrddI(6>b4)N{X_pFXiBoj=v!u!AK<0{TbHbzBS9`e8Q*rsH7kze-$
zehpg2uSGY{gez8vPXA~W-8zoD*(-d1EB9~wx+?v`9K6J@7;;hsFYqfRN)BiiykL=%
zBcM@g6kH<514czqJvdDOzaCXbRdbYcl;RbBBf^j%*T7&H{v;+`jJ?I6*VTrBM<T`O
z@<l=etQeh-M(3d$7Owza{0B2w=D&m)pzMsQ{sthuw5Wdru-a;BX`oBu=wMW2X(}e3
z>vwuxCVT}6kf>8vL{*3ae>L5~)_wh;tmA$=>xfzMq;lh|AJ524=-euAYTP?7;a&M~
zuqIY>*Rgf9&+dFYeCp*19U)%a9?d(OK8FNml^=arzD?2EkS|w8a(&s59plCxm&(o8
zjQwUYRcjcZovQjEb&Hj}O<Shl=k3O0^G#xrL30BfH8Bm0WYKPSj)<w`=xGl3w=0zF
z`_^Zfb)(|`s}`A;Cj*lA(Yy=NOixew(8r{w)VV9#N&jh&zWp&7Lmr;j7Z{?P)&zNe
ze%IsMxoMv@v#21G0j6mO*PV(}r^g%-tIv3q*|@>b3Oe0ex(eMMPXz6e8P=E~W2Z3m
z;geI@<<)VRr`->Qn7@J7Ml2mIf~7*Dp6~D1x?kJHweI=JCq_T1pV7uWR=u#(g62ka
z@clD&!{%|>$7P%|17}z&Dqe6zvOlw{53A9kkr1DgH`*BPyd!$v7NZ>TvFoP-`{9k;
zMe2dChT@S>ygkLG*R7$!l>6BjN3z?px)sPMx}9DpT)PsyzjyNa+nXLG?^QJ!gx4gO
z!*f7Xc+ZCK^>I@tyd(rRmE(ymhexKn?P*RoiH<W!V&$WxA5xW)r|wRsF16m^Z1bb+
zWSHFNQY*r^QuDkvK6T=W38j?H9f2L}d#X75Gah0}=oM`fUw$??F{(bqQq)vR7uri@
zYGR?l7AA!j-#XpU-P!K5Kflyx_=^B)J8F@0=OzZ(UH$37`%uvmo1Hs4EL0S=@4Vrt
zf5gD45dR=-_fz{|$o!iD^Gku(Za7xH^JDlcuR!L{Ik=qpGxJEy&xsk_Ubme2v#si$
zk?$X?655w<AWyUnSlj4xu;(S=iGoLpL$u5V?ot+9<@bG@KeQq#+X6k*zpgdVw!MmP
zqA}(|j|z(-2OWKGs-(60My1P98a<e`I^f-rJoPTgdq>m^+B+0>fg|G8mZZYsxlbpj
zE2L?@&NZu>ayz`%s<>CFT=0|i<goK)>b_9&N8XxsO%3%e86E7jZroqnLtD)n_g(+u
z*zD8bKxO}N*1l6-%uy-)$*n!gZ^w4`+8w57QT2~SMUFkl$!DmknD^X$fI|1}mFWz}
zLD_T8>0x8Fb;(6i4(rX#XK3J|22T%8YS4D2z;^J24adqeF``J^4bQ~U1<TLG`g~Ql
zGxMSt1@>^OEZB~#jEozc!loc%<zEpKgdt+}*FO=nk^rJRm&2ckaYGn{68IL5Ki2r8
z<pf0BTfZtICjn73TSDZ8YlP~@GlD7r5|yx}xu}%=S>&sFf=?nDjxVKy``e`}9S_;x
zXYNox?Rkjz;&wxR+Rk@YH+G$<8C$cRo~iEC4(uC4W#zijgsQv^2C`!>^0zd{y-lbU
zFR*{1BzalqZO+C{^U2nO*Q~ebJSw0$6u#}=^ECqn5gjqyQ8oJ=Lp@Y?N^qz6#Xg#x
zY#3#QZ}=FvAe6h`Eq(S=hQv0*+4|jj#{>L)3oS4e8`cUdojGQw8!LH%&p+vrYa=C#
z$M+9pn)GGR(icMUhzYO>9Dl^UW@RBM?p>D0eO3~P`*%^CSjrJ_UWFAB_7frm;6Glt
zj8;%WYJ!n~5SgdU%35=S1H<gjREuu+iEPx8I?L}M)R1?^zF<=)<vO|yp^FWSL~QJ-
zPvcUpFUC9azw13OFu8r{B!@)OxU-F}Fy{-pI=gqeV%c~07I)Gx|4hG-DgQ0mzTx8S
z>D>CUZegi`=G>Gq*=NrRqHdWtw+W3LS|2oGzS}P(WzXKW2>sHbdm(v;3NGk+?b!4F
zk{@R)w+L}v!(%)9<7$emZ=K5>&xa2@y)5yT7n|+oPTh?i&=WnXMSskTkde~&uGsuH
z+g|xjY3w$8cfx3A#UxoQhOACt^tI@umcw@j#%J3<Z#&cP?kw-n{)CLGwosHl{o_Mu
zTjntQU-reI5{x<f{uMFzuIl!=(;$k++2xmFt^wMY93V2x(SvdfLK=TWaq_!;5OIg@
zs)!(pO~8g-sAsW?K|~JVEkcLdE>`M<Po{!XH%B@8r6hKDhn{NmJmW^A=kD*kJ^eO(
z2z{wq`?Mu=*FDKV&Xejyo_Ejqyj@=@tw~X)6P&&7h?gFV_sq=ubax*j91&uX&uvBl
z)_SfAyQKZf$U+n=ufoX6^<5rW=T1A>Zd@P5h^1VUv=~`pAGyj{#USEOfOr&W562(c
zN2c{a?XP@ZuKmXKBzpqws}3(||AGC4*hiA~-X7K0pPAQ+W^KVT3UuE-A%QdM_ZT@c
zagOmC4{b>BcG5%fRu7Y$db@2dCrp@bC}+^(q--e@9#ri+@Qy4zI~E~>Ys-=#`<u2!
zByD|G(e@D3mSDT6tvD;t_5(!R0&1@AU{}Ji(ta4*%4?*Zxp7rQurp7yEg{B3M4$+U
zaDZdhh^0@mLiws29q!v25z9@OYpfF<lsJD;Lmmyr$?K&Az57&&XQoT8e*9SdB7%ax
z#JS9ymNtV<Li1v@;NF=moO%IP#XOAm5#8MBWaV`JNw=^Ma?%oOhs_fbE**I)P<Vwc
z*Hw%DXN~{u*MkQg*4DOp&ecSEvM5|x&mnkkp7Bdsbz*A1#pA>D>}tI(FQ08Re9#a*
z+Z}&&M}|gOTj#n|l)<+;$+F1fz^$}!(;2c84|wV+qjp&^PwGatS%snv-ud4B*E3%E
zoUpvaM7?p?XhZ6QOJ~HgLytYWq<{X#BaO3V54()2gEpt<QqA9fbFl8P65)gi$7T*c
zPgc>fzJ~D<qbl?5I>S9#$i6FvSIE__G_a1J_xn_l8<rNH2F-2*%?{!Vj+JIdY%7aN
zj?`an_Ut+kwuc}go&d$@1ws@jnVk)8F*fFx;*posTlXZ4MF|a_k5qm2zIwA;$J-fk
z&2vuzxP+ltJ0Ny3hyEc}v9g3D)^ml}K9X1_EG0i6h2O<O#OJ>u{;^vWm2Kf}p<a>k
zHXf?Fom~gm=i^-10wPx#hbj9B@py>%@~?=-Ef8_aY{mYAh<yO@!`v^^{Ej&KS43{0
zwHEnWuT>D=k`S%_T;mD0f86(n*0$*gL@bzG6%lX*Pw#R>lKYMh*VP|tb?)1G%H?}n
z_NerCXMy|AY-KF(jMCigIX>A5O_K`5F1qgzv5IbAq1e~LE5u#}rg<C1L_p@amy3mn
zs)zn*U91uirKEuHSP>9!K|oxEgu*krfCyZ74H_IGvL^l&v5bW1z6xRy3Gu^nL}q|^
z6Q%x3TZr-&)EYAmwGPL8Y8%~$somZw^#*J#Qd>yj*vht$c0IfY+d>fCkoljc(;pVl
z`YH<7D-jQop#;zt+V_V0IvbGCTf#g)pYFAUj)7Z4#jP!ht4zCo5xotd|GURZW8vCu
zl~%017f4`-t)UxW?F*??M;#)=_3mS#{Yz`8Mh7BpS+^=8XboL@y&Ms|N-egAstYFr
z5EbF>C%wHFHHhzR`akTmEV`eQmR?Gm-luXy;{UgXR%s1Ej~vF*|D}=hRT@T+@VgZe
z#J;^#h7iRV!}$s{DSt)IELWM1I()e`0<pP~)W~5T*rSpf(af_ibXfT8r!SnX=Y|6}
z-@DaXqZzrLgCLt#gk}<K1eraDZ>Dc3Qn*sye6giwQz@q8G+UTVt{P~~0XRk-8iY|3
zVN^%R{LmOOFHrHc_*LyxQwoqj-=@XB{rEBIx_H!cMWF+YuKcasX=N$LfwIB!A~g%W
zwQHcKrKh`}6v5EXSw>EPRCEFz7xu*)goSG8Vqp>#jo?fg7Wu8NfxbZme>Vasu@D@C
z39#w{3-PdSy$7HM0aQ{IDKNm1Am%JChsuG{JDiMT5nV#p^>GXeA}A0nN#%R+Um%zZ
zOPtaK1BIm)k;+nu6Sj!tmRdy77k<;r$V`r&)MNl%E3&Qr-eLZ7%qSxiNWn^F8R82%
zM$+CPa{MSSNq1JZty^@g2o~CgCN|o(ptU3;WfJTn16opYBn??5R%-ZfnxRT^pkhzb
zjFkmG6zuO5A`Mz)phE>M0IGd|?>pTVFJ|4Fh2+fJ@!)rUmJaRdxpzNm25T?EC2DxO
zoVC15;?=a5<JAt=)bQs?vpTZnFJ`Y-^LO%gKEWCBUT$$WY>iAvxE|>nX3eqNSSkMC
zzJX4<77Vw@{i7Tof@4Qdg`ZE{*)#Iodn><krYEN$)?rFMz6j6f{=wv-4aLZXF_G-^
zX7L@fmoJK5N!wATH76!`ES-AI?O0HYnE1M5=k0BKWIOfkSiJcAgkwsM-;F11*6y2;
z(Kt44kT~Mp{Z_~`d6dh1M~tleaGprlXPcg|4I%f46>R;K_e&_ed^rXBUkJ229x8Ma
zU8}mDUOuFA<Fy*r;?pL#Op@z4ur%d#i*?ahV5tKrKd>Zdf`Ax}S=E}bOUcJVY9cKw
zfr1v3KD;G>*F-f?wH%e4b@7V7YJry477Gz3ZJ;0xJ3h-Ibm^{v0;#yE3t<R&00P=Z
z)Vtz0VdB5(V<^_45~$c>p%L_+c>guzodbgYQ-ce3HW#~Vbb8y_E%oYSBKZh~B9j>B
z&Rby@(LIZjK!Mc@_4xM=((kIET8pzl5q4GO9X%cYqP%P13hE%$NRL-Ow7XIAn3cXd
zFaH+J`5MASiU1#JE8O8>0deCNUL&u|&y)%a(`Aj=D0T@b`Rl8E#~8GThrd)%ejBcA
zr%Jn{u~GF#Dr;83AtxP|enx)BracTS(-ncj7umNBq<zv53Ry3nGB=>-*CORVcy6DH
z+Wy!eLQ`H-eb$Gg<C{fqYK6O<JF&sqGNRSto-%L1RRi-MUigNAXps;yHMzF!BONSE
zq48}E1i{w3m(O)<vYxfb>rMS}xL7x3+=#sZH~BcM@8~EE5Bq_E<L}P8bDSv)k8~Is
zD##^2TssDtpBML6=9eKc|J&uvUwdnj`G5X8j)BZhV*Z{wT8AO?dG&&IT9Sj_(cuo>
zKawPQZ^t@NN2L8U=AVslZ1zCNJ^>0J1r+{tv0>E~e(@5HKy{<NZgSY->G2hQK%-lK
zqq_ek3Wq^WqHsCD$^_6eT1Qx<<Ap2$xOby}Ai*&t*uy{2Gu+jMMDhN9K4EhDDBK%>
z!8I1A5EdESEX2vj)0tov=;`Yi7)H<qjRa3OPiMzqPk%px_5xOL802*&60f76_5TmA
zgJsC0%8RZ4|6B9be<J$QLvaFkX!XC=6^fj`RCHc5vu3JZ^~RCbJ6Eln25McC^|owo
z_y0&`^t9NNG1KFS%&CaP43^fnii-7L?7tXBIK^&?4(><@^}$+xuREYCYO_rtR$YOb
zqvVn4ap9u){VvR1!A6R?eAFXpd^BvcdB*DP&IymcNz<mrGqzqoyT0{<awf7#DPG(x
zbV%R%0hjicuct;M&OB}0U2b+utUM*B+A{NNtCY~?pRD9VoE2w>H2k7}_CHWsS8o2q
zbCkKp+Rs13=I#;J_w@I`rwm)YS~lOk%~X1g*FE~ao|QuS0pW}dmih<cxxZ-q@I4Uy
z^@h=tuLqTREAt;w^>aq3nEqf`B>Fdi=wG9Xi(Ca5P7H<3)?Z%&peuUh%NPzeYFD<o
z0^l_Q-V=34UCC*d2%7_kTK_i~TVhc@7K`$8|2w;b7aFj3AW;A>je^e+a@OXE#0&k(
zG=C(Q0B1)9X?G=3Vp*22K+Dc|Q6h#G?}+Zqb;z+tZBZN4ik%AVB6n9=cTYET4Jv?A
zkdsN$<FMR#)|7!K-0@eFlD!)qMtMEm#3>cQC4-8vFN*i^clTe;?|Xts*C3J@Tr?9N
z0AAojdE~fI4sZc%X2!+MyxGjyP+DGk-EXbORddtt$?L!q*GqT0M{7T!R9|#ee_)Fh
zz$?@$-zd<=3XgX;(7xQ3Ik)cmhr?0E9eLAPU)n6kW6tH}4xX;xmKEaD%g1B#qoZD$
zj5y*~CKzD#lAxfaKyk-4_D71Ya>fY#S)YKhsmv(#m&%jjzN3#g_Zu3urr+ZdJAbQl
zukiFi(RklOWLnzp9c$G-c5UJld_Y5Uq;9e_;%7yA!SEi5K5pqle!))?y7>j0-mqVX
z%zqj%|G%H>4hh0jSZvzzQ<x0l4R^g8C@JhItX(>VRYUe?0f?3t5#%`d91M<?=TNfP
zuPDqVBC5-CNxd5>mvF{#UL9FHMLdWAr-*9F7*^`k?Gt9B#qIM>%5+7pPsp_`KVn&%
zE4PW|UhTCXEkAI|Xa?6@B>H;LEtJ{lWwy>t-<d(3*o>4Eci|yNuFCEQl{BJc$qjyu
z%^^27K77kbzT@(>g6Ojb>^-z%J|b(Yd#d8LH3_KjUueAVhTxxql=KJ;)n92zgm$PG
zb(G1LOq?d$yzkr36`n<R{ui^7GO7e)jfO?$zn3pyszBGtf$toajsWs<;O9T7;{T<*
z_@DAeu`ng2c(~HJU9?x;8>^dk?W@z!=dG3OofF4?x1r2)Imov5>*u0oxkLxSA&D#b
zI^`+fs;#O@tBlL%QX(mAM#ptuyE(BrKHNojp|j^(Z-W!%`mHP<3|not9uysrOySA?
z@HO}N9R<TqU1u)~<HspO0p^=K5<MgC1x%H9F$cena4@!hl6ISIZ*Ixtd69`?-V^Se
z1C!+V@nhBfNPo9lCD%N*W>RCU_s9q3Bcqcqu1-vST3_59a$JFnk5}t{urSw}lP_84
zu1Z+kOL>Mj>`!twNYL<%y+3DgQ!;YP-BZ`-vz~V765WH|u~J43Y{(9}p+No6VT0nK
zw8LYTLn3U8`6C15kJBgvq%+b7Wn?I*f6S8(Zh(}*TRJM5Bb*}`Pdb$T`o`<`Bq9q*
zc~wSU4>1Y&b>OQ+`ClJQ{I_5FNuR{6N{j!S`Tl<{!D>Pih~VLlUFFNXrE55Hs)a<W
zgU9@HNTS57U<h1vG{S=I{sz7Un6UfyjX-Og;6%~hK5hEF);9OdK%YvtX`LJAlcEot
z6Lc-UnntOF2927Vu3MXm^~xEGq`Wl?Ur=1X5$$~U`wp1_3HSB~3bYb060LDU0_C@c
z)F^E$M)j4Z58KbXJv1wB^0i6g3azR>-(fQ%aMrlErX`s<vgzhLti_P}&yb*B0D}H^
z%D1F|lwVc)C*?O)0?IGExPFoHbrn_I9z;OI?#l?0fLRzT%ek0vW;2L5Ex0Nos3O0L
zUP4rYh_IAL&IrDR0G+fvwdoViHws=(mUN5ky_uFcckyv=;tzc+OV7vr)1%+k{-6~4
zoSl;x?LwYx-E`rqy3zXZkmkY|7C-Vc%-Svt#WtEQe$2CN3Rm2pjhqbr(V?~Zew%Me
zd5r3d_KR9`veAX5&e&kDNEN?Stu#Eo`SJm+F9K{=w?AlIYu<gRy7O+%Zc|-dY{u7w
z0jY_#gOR1XWM1!=FWL2GeWbyGkO0--n`iX*x_j;(3(^v}a(64&#n!g9)|8u#teIU3
zSfAW_qcBz_mpm{&U30^q-HUqTSL>p4d$;Y7kkGk*+&_b^BE#mOT>Uk-t-d{Mrwo1=
zcv0rLo!9doF>|fobi=3aLI&G!9o6o^zT-1G+5I8Tbs`rX1u1r44H@l;Lmfq18_(&M
zcGTNzaYS!j(@oR*eOMz(_iirqOFa0rd_O1=!?7|IBmQ6INF`yD<*B%-a(kz&TNFse
z{h%|wP|$1V<SNru`fV}kAyn1$Hhlv0U3yJa^pfvC_*C`m)3iN18+W6OZgTd1+j}bY
z7NsP;Fb1bV)hTj5xELH6?k{0C+6RM#@5S;Uk#&2+-Si2B-RybAr66fnack#f2Z&$1
z$^X*ctv&z|&EBkv2*OUsX%W%P9wL%@m;5D;A9)Smyqn1Me@oMdG`3Qfy*aV#vh(Ms
zr{-ePrqtj=X!ZQ(a}UHeO8hK$9<68<wpW~db=I&(x#<Ciz|RSbUcT>xQPQ{;BcU6^
z3?7jKXFcIs#oMWtwEx2uic{Rs72@YsxZ)FV1rgR(Md}t^@j8jC%*-AlRsclU+J$4~
zrb8l|Dxvne)ho0olI#hzUst-Qy}7cA+v_Bf_C>;>rc&%N!ihU9Khu9noT8>+7gOSD
zwDS036&I5<tV??63%(9HGR3&RL_YHI5k(&JT@jO!J^Z80Rpk9c&nr(_!?ooU(;!y?
zA;7UxTg<sB9;mID!k^lr)G+Xv@)x!3qU0(wS0;%q3#Mq6r`=xBIg9O_cMa<3dB=U(
zcCARw>u<O86B*W7f`>3#n<yiS?p&5Mf4}ij#vAIp$=%ca+D*!9jui<#x=g>bAyRS|
ztw6!sxsjgPvJ5M~(67y&*$kMBV&3415H7m1qUpFTw9Q68Z^n!^h)l=DI;fGm4;A@P
z<~!b(QxoB(3iUB28>o3cXDyt?;~nQu9-uPQ>NFj$T*I`+cVe4fdia|HwGA@cGb2PY
zsqV~OuX3Dqc1gVGZSr2pJlWUQ92an)3)c`?FcCYic|?nl&FsVes^R?1Oi74ddwx>X
z`PW;m3(loqIL&mnc((E6^rnN`+ooKfY9f(?K_hpJOg?4^Yi%u$PTjXIGAU&)>D(TH
z_xj;cmzgG>?mn$lB-?&=K9kCRio>>ayxgO5TjTQyZep<SW@qH5VE5fq&plhbGPndi
z6QtbvKbxdp9o-S-A+Hti#5bAwR=Vu)?pukT79~|I(05mW?-tX;O5Y)hQ@o@|&0Oxg
zX1nd3z;{eBoPs6GeFqV@l>CGEN2DsgPJodri!P5;l==;KvmMy^!*Om)ky@(a)<p>s
zE&hs_t_~4*?_UMco`mT7C*oCrxY)=3V~w_!f)KH4_o|3sHyzxz9Ff!r72p|Bi0F3B
zAUnDFfun-Rr>Lq%4HHwX!y$rc@$A=W&7mTte^rDb4~m^(TOn2!n8qG9LgU1ii-m}E
jC+Ys?K0cEBGFG_H9=Hz$L_@X)Wby^h?}`Ciuk?Qa`rl0}

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls1.2.trace b/testing/btest/Traces/tls/tls1.2.trace
similarity index 100%
rename from testing/btest/Traces/tls1.2.trace
rename to testing/btest/Traces/tls/tls1.2.trace
diff --git a/testing/btest/bifs/x509_verify.bro b/testing/btest/bifs/x509_verify.bro
new file mode 100644
index 0000000000..7fe9a69c6e
--- /dev/null
+++ b/testing/btest/bifs/x509_verify.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT 
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_established(c: connection) &priority=3
+	{
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
+		{
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		}
+
+	local result = x509_verify(chain, SSL::root_certs);
+	print fmt("Validation result: %s", result$result_string);
+	if ( result$result != 0 ) # not ok
+		return;
+
+	print "Resulting chain:";
+	for ( i in result$chain_certs )
+		{
+		local cert = result$chain_certs[i];
+		local certinfo = x509_parse(cert);
+		local sha1 = sha1_hash(x509_get_certificate_string(cert));
+		print fmt("Fingerprint: %s, Subject: %s", sha1, certinfo$subject);
+		}
+	}
diff --git a/testing/btest/scripts/base/protocols/ftp/gridftp.test b/testing/btest/scripts/base/protocols/ftp/gridftp.test
index 494729cf5f..18b3bd956b 100644
--- a/testing/btest/scripts/base/protocols/ftp/gridftp.test
+++ b/testing/btest/scripts/base/protocols/ftp/gridftp.test
@@ -2,6 +2,7 @@
 # @TEST-EXEC: btest-diff notice.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
 
 @load base/protocols/ftp/gridftp
 
diff --git a/testing/btest/scripts/base/protocols/ssl/basic.test b/testing/btest/scripts/base/protocols/ssl/basic.test
index 94b0e87ec1..05dad1dca7 100644
--- a/testing/btest/scripts/base/protocols/ssl/basic.test
+++ b/testing/btest/scripts/base/protocols/ssl/basic.test
@@ -1,4 +1,5 @@
 # This tests a normal SSL connection and the log it outputs.
 
-# @TEST-EXEC: bro -r $TRACES/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test
index be1a2c2c2d..d69bd31563 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-ciphers.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
index 9cceca70b1..74acf3224a 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-handshake-failure.test
@@ -1,2 +1,2 @@
-# @TEST-EXEC: bro -r $TRACES/tls-1.2-handshake-failure.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls-1.2-handshake-failure.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
index d2f82c4bc0..7434b289cc 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2-random.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) 
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test
index 25b9083587..4c577db403 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-1.2.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test
@@ -1,2 +1,3 @@
-# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
diff --git a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
index c5e0b1b407..425afbb2c8 100644
--- a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
+++ b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
@@ -1,7 +1,7 @@
-# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) 
+event x509_extension(f: fa_file, extension: X509::Extension)
 {
 	# The formatting of CRL Distribution Points varies between OpenSSL versions. Skip it
 	# for the test.
diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.bro
index e91d234d21..59834b6854 100644
--- a/testing/btest/scripts/policy/misc/dump-events.bro
+++ b/testing/btest/scripts/policy/misc/dump-events.bro
@@ -1,6 +1,6 @@
-# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro >all-events.log
-# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
-# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include=/ssl_/ >ssl-events.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro >all-events.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include=/ssl_/ >ssl-events.log
 # 
 # @TEST-EXEC: btest-diff all-events.log
 # @TEST-EXEC: btest-diff all-events-no-args.log
diff --git a/testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro b/testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro
new file mode 100644
index 0000000000..9278e11de0
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load protocols/ssl/expiring-certs
+
+redef SSL::notify_certs_expiration = ALL_HOSTS;
+
diff --git a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro b/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro
index acc414a33c..ad99e2e143 100644
--- a/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/ssl.v3.trace %INPUT 
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: btest-diff certs-remote.pem
 
 @load protocols/ssl/extract-certs-pem
diff --git a/testing/btest/scripts/policy/protocols/ssl/known-certs.bro b/testing/btest/scripts/policy/protocols/ssl/known-certs.bro
new file mode 100644
index 0000000000..f5ff187164
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/known-certs.bro
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/tls/google-duplicate.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: btest-diff known_certs.log
+
+@load protocols/ssl/known-certs
+
+redef Known::cert_tracking = ALL_HOSTS;
+
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
new file mode 100644
index 0000000000..56408483f0
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load protocols/ssl/validate-certs

From 3f52eeacdad1ca03ab2d850ff8e3529065efeac7 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 15:41:57 -0700
Subject: [PATCH 101/220] Fix dump-events - it cannot be used with ssl anymore,
 because openssl does not give the same string results in all versions.

Add leak test for x509 verify and fix small leak (type).
---
 src/file_analysis/analyzer/x509/functions.bif |   2 +-
 .../all-events-no-args.log                    | 231 ++---
 .../all-events.log                            | 907 ++++++++++--------
 .../smtp-events.log                           | 190 ++++
 .../ssl-events.log                            |  60 --
 testing/btest/core/leaks/x509_verify.bro      |  27 +
 .../btest/scripts/policy/misc/dump-events.bro |   8 +-
 7 files changed, 827 insertions(+), 598 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
 delete mode 100644 testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
 create mode 100644 testing/btest/core/leaks/x509_verify.bro

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 40af444a98..e20028cc60 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -209,7 +209,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			}
 		
 		int num_certs = sk_X509_num(chain);
-		chainVector = new VectorVal(new VectorType(base_type(TYPE_ANY)));
+		chainVector = new VectorVal(internal_type("any_vec")->AsVectorType());
 
 		for ( int i = 0; i < num_certs; i++ ) 
 			{
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 4e01411971..6de44b1fbf 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -1,117 +1,118 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
-1170717505.366729 ChecksumOffloading::check
-1170717505.366729 filter_change_tracking
-1170717505.366729 new_connection
-1170717505.548308 connection_established
-1170717505.549109 protocol_confirmation
-1170717505.549109 ssl_client_hello
-1170717505.734145 ssl_server_hello
-1170717505.735416 get_file_handle
-1170717505.735416 file_new
-1170717505.735416 file_over_new_connection
-1170717505.735416 x509_certificate
-1170717505.735416 x509_extension
-1170717505.735416 x509_ext_basic_constraints
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 file_hash
-1170717505.735416 file_hash
-1170717505.735416 file_state_remove
-1170717505.735416 get_file_handle
-1170717505.735416 file_new
-1170717505.735416 file_over_new_connection
-1170717505.735416 x509_certificate
-1170717505.735416 x509_extension
-1170717505.735416 x509_ext_basic_constraints
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 x509_extension
-1170717505.735416 file_hash
-1170717505.735416 file_hash
-1170717505.735416 file_state_remove
-1170717505.934612 ssl_established
-1170717508.515696 new_connection
-1170717508.696747 connection_established
-1170717508.697180 protocol_confirmation
-1170717508.697180 ssl_client_hello
-1170717508.881857 ssl_server_hello
-1170717508.883051 get_file_handle
-1170717508.883051 file_new
-1170717508.883051 file_over_new_connection
-1170717508.883051 x509_certificate
-1170717508.883051 x509_extension
-1170717508.883051 x509_ext_basic_constraints
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 file_hash
-1170717508.883051 file_hash
-1170717508.883051 file_state_remove
-1170717508.883051 get_file_handle
-1170717508.883051 file_new
-1170717508.883051 file_over_new_connection
-1170717508.883051 x509_certificate
-1170717508.883051 x509_extension
-1170717508.883051 x509_ext_basic_constraints
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 x509_extension
-1170717508.883051 file_hash
-1170717508.883051 file_hash
-1170717508.883051 file_state_remove
-1170717509.082241 ssl_established
-1170717511.541455 new_connection
-1170717511.722589 connection_established
-1170717511.722913 protocol_confirmation
-1170717511.722913 ssl_client_hello
-1170717511.908619 ssl_server_hello
-1170717511.909717 get_file_handle
-1170717511.909717 file_new
-1170717511.909717 file_over_new_connection
-1170717511.909717 x509_certificate
-1170717511.909717 x509_extension
-1170717511.909717 x509_ext_basic_constraints
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 file_hash
-1170717511.909717 file_hash
-1170717511.909717 file_state_remove
-1170717511.909717 get_file_handle
-1170717511.909717 file_new
-1170717511.909717 file_over_new_connection
-1170717511.909717 x509_certificate
-1170717511.909717 x509_extension
-1170717511.909717 x509_ext_basic_constraints
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 x509_extension
-1170717511.909717 file_hash
-1170717511.909717 file_hash
-1170717511.909717 file_state_remove
-1170717512.108799 ssl_established
-1170717528.851698 ChecksumOffloading::check
-1170717528.851698 connection_state_remove
-1170717531.882302 net_done
-1170717531.882302 filter_change_tracking
-1170717531.882302 connection_state_remove
-1170717531.882302 connection_state_remove
-1170717531.882302 bro_done
-1170717531.882302 ChecksumOffloading::check
+1254722767.492060 protocol_confirmation
+1254722767.492060 ChecksumOffloading::check
+1254722767.492060 filter_change_tracking
+1254722767.492060 new_connection
+1254722767.492060 dns_message
+1254722767.492060 dns_request
+1254722767.492060 dns_end
+1254722767.526085 dns_message
+1254722767.526085 dns_CNAME_reply
+1254722767.526085 dns_A_reply
+1254722767.526085 dns_end
+1254722767.529046 new_connection
+1254722767.875996 connection_established
+1254722768.219663 smtp_reply
+1254722768.219663 smtp_reply
+1254722768.219663 smtp_reply
+1254722768.224809 protocol_confirmation
+1254722768.224809 smtp_request
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.566183 smtp_reply
+1254722768.568729 smtp_request
+1254722768.911081 smtp_reply
+1254722768.911655 smtp_request
+1254722769.253544 smtp_reply
+1254722769.254118 smtp_request
+1254722769.613798 smtp_reply
+1254722769.614414 smtp_request
+1254722769.956765 smtp_reply
+1254722769.957250 smtp_request
+1254722770.319708 smtp_reply
+1254722770.320203 smtp_request
+1254722770.320203 mime_begin_entity
+1254722770.661679 smtp_reply
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692743 get_file_handle
+1254722770.692743 mime_end_entity
+1254722770.692743 get_file_handle
+1254722770.692743 file_new
+1254722770.692743 file_over_new_connection
+1254722770.692743 file_state_remove
+1254722770.692743 get_file_handle
+1254722770.692743 mime_begin_entity
+1254722770.692743 mime_one_header
+1254722770.692743 mime_one_header
+1254722770.692786 get_file_handle
+1254722770.692786 file_new
+1254722770.692786 file_over_new_connection
+1254722770.692804 get_file_handle
+1254722770.692804 mime_end_entity
+1254722770.692804 get_file_handle
+1254722770.692804 file_state_remove
+1254722770.692804 get_file_handle
+1254722770.692804 mime_end_entity
+1254722770.692804 get_file_handle
+1254722770.692804 get_file_handle
+1254722770.692804 mime_begin_entity
+1254722770.692804 mime_one_header
+1254722770.692804 mime_one_header
+1254722770.692804 mime_one_header
+1254722770.692823 get_file_handle
+1254722770.692823 file_new
+1254722770.692823 file_over_new_connection
+1254722770.692823 get_file_handle
+1254722770.695115 new_connection
+1254722771.469814 get_file_handle
+1254722771.494181 get_file_handle
+1254722771.494181 get_file_handle
+1254722771.494199 get_file_handle
+1254722771.834628 get_file_handle
+1254722771.834655 get_file_handle
+1254722771.834655 get_file_handle
+1254722771.858316 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 mime_end_entity
+1254722771.858334 get_file_handle
+1254722771.858334 file_state_remove
+1254722771.858334 get_file_handle
+1254722771.858334 mime_end_entity
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 get_file_handle
+1254722771.858334 smtp_request
+1254722772.248789 smtp_reply
+1254722774.763825 smtp_request
+1254722775.105467 smtp_reply
+1254722776.690444 new_connection
+1254722776.690444 net_done
+1254722776.690444 ChecksumOffloading::check
+1254722776.690444 connection_state_remove
+1254722776.690444 filter_change_tracking
+1254722776.690444 connection_state_remove
+1254722776.690444 connection_state_remove
+1254722776.690444 connection_state_remove
+1254722776.690444 bro_done
+1254722776.690444 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index f383249428..dc4e0fd8e5 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -1,479 +1,550 @@
          0.000000 bro_init
          0.000000 filter_change_tracking
-1170717505.366729 ChecksumOffloading::check
-1170717505.366729 filter_change_tracking
-1170717505.366729 new_connection
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717505.366729, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717505.548308 connection_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717505.366729, duration=0.181579, service={^J^J}, addl=, hot=0, history=Sh, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717505.549109 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+1254722767.492060 protocol_confirmation
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
 
-1170717505.549109 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 2
-                  [2] possible_ts: time  = 0.0
-                  [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
-                  [4] session_id: string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
+1254722767.492060 ChecksumOffloading::check
+1254722767.492060 filter_change_tracking
+1254722767.492060 new_connection
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717513.0
-                  [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
-                  [4] session_id: string = \xa8\xc1\xc5h^Y$\xe8^J2\xa1]^^? \xbc^?Q>V\xb2^U^C\x9d^MU\xde\xfd\xa5\xa3 \xc0
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
+1254722767.492060 dns_message
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
+                  [3] len: count         = 34
 
-1170717505.735416 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
+1254722767.492060 dns_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
+                  [2] query: string      = mail.patriots.in
+                  [3] qtype: count       = 1
+                  [4] qclass: count      = 1
 
-1170717505.735416 file_new
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+1254722767.492060 dns_end
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.0, service={^J^IDNS^J}, addl=, hot=0, history=D, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
-1170717505.735416 file_over_new_connection
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
+1254722767.526085 dns_message
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^I[31062] = [initialized=T, vals={^J^I^I[0] = [ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]^J^I}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
+                  [3] len: count         = 100
 
-1170717505.735416 x509_certificate
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+1254722767.526085 dns_CNAME_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
+                  [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
+                  [3] name: string       = patriots.in
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
+1254722767.526085 dns_A_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
+                  [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
+                  [3] a: addr            = 74.53.140.153
 
-1170717505.735416 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
+1254722767.526085 dns_end
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CXWv6p3arKYeMETxOg, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
+1254722767.529046 new_connection
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
+1254722767.875996 connection_established
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722767.529046, duration=0.34695, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 
+                  [5] cont_resp: bool    = T
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = We do not authorize the use of this system to transport unsolicited, 
+                  [5] cont_resp: bool    = T
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = and/or bulk e-mail.
+                  [5] cont_resp: bool    = F
 
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
-
-1170717505.735416 file_hash
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
-
-1170717505.735416 file_hash
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
-
-1170717505.735416 file_state_remove
-                  [0] f: fa_file         = [id=FeCwNK3rzqPnZ7eBQ5, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-
-1170717505.735416 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1170717505.735416 file_new
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
-
-1170717505.735416 file_over_new_connection
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [2] is_orig: bool      = F
-
-1170717505.735416 x509_certificate
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
-
-1170717505.735416 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
-
-1170717505.735416 x509_extension
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
-
-1170717505.735416 file_hash
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
-
-1170717505.735416 file_hash
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
-
-1170717505.735416 file_state_remove
-                  [0] f: fa_file         = [id=FfqS7r3rymnsSKq0m2, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717505.366729, duration=0.368687, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICXWv6p3arKYeMETxOg^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717505.735416, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-
-1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717508.515696 new_connection
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717508.515696, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717508.696747 connection_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717508.515696, duration=0.181051, service={^J^J}, addl=, hot=0, history=Sh, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717508.697180 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
+1254722768.224809 protocol_confirmation
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
-1170717508.697180 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 2486404.0
-                  [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
-                  [4] session_id: string = \xa8\xc1\xc5h^Y$\xe8^J2\xa1]^^? \xbc^?Q>V\xb2^U^C\x9d^MU\xde\xfd\xa5\xa3 \xc0
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
+1254722768.224809 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = GP
 
-1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717516.0
-                  [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
-                  [4] session_id: string = \x9eQ\xca\xef@\xad\x85\xf9\xf0=\xbb\x8c\x1f\xdc\x866!\x80\x8c1^Rr\xe1^BB\xcb@k\xf9^W\xbc\xd9
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = xc90.websitewelcome.com Hello GP [122.162.143.157]
+                  [5] cont_resp: bool    = T
 
-1170717508.883051 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = SIZE 52428800
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = PIPELINING
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH PLAIN LOGIN
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = STARTTLS
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = HELP
+                  [5] cont_resp: bool    = F
+
+1254722768.568729 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = AUTH
+                  [3] arg: string        = LOGIN
+
+1254722768.911081 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH
+                  [4] msg: string        = VXNlcm5hbWU6
+                  [5] cont_resp: bool    = F
+
+1254722768.911655 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
+
+1254722769.253544 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = UGFzc3dvcmQ6
+                  [5] cont_resp: bool    = F
+
+1254722769.254118 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = cHVuamFiQDEyMw==
+
+1254722769.613798 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 235
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = Authentication succeeded
+                  [5] cont_resp: bool    = F
+
+1254722769.614414 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM: <gurpartap@patriots.in>
+
+1254722769.956765 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = OK
+                  [5] cont_resp: bool    = F
+
+1254722769.957250 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
+
+1254722770.319708 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Accepted
+                  [5] cont_resp: bool    = F
+
+1254722770.320203 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+1254722770.320203 mime_begin_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722770.661679 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = Enter message, ending with "." on a line by itself
+                  [5] cont_resp: bool    = F
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;^Iboundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
+
+1254722770.692743 mime_begin_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;^Iboundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
+
+1254722770.692743 mime_begin_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Icharset="us-ascii"]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
+
+1254722770.692743 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717508.883051 file_new
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+1254722770.692743 mime_end_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717508.883051 file_over_new_connection
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692743 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
+
+1254722770.692743 file_new
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=<uninitialized>, u2_events=<uninitialized>]
+
+1254722770.692743 file_over_new_connection
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717508.883051 x509_certificate
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+1254722770.692743 file_state_remove
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
-
-1170717508.883051 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
-
-1170717508.883051 file_hash
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
-
-1170717508.883051 file_hash
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
-
-1170717508.883051 file_state_remove
-                  [0] f: fa_file         = [id=FjkLnG4s34DVZlaBNc, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-
-1170717508.883051 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692743 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717508.883051 file_new
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+1254722770.692743 mime_begin_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717508.883051 file_over_new_connection
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;^Icharset="us-ascii"]
+
+1254722770.692743 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
+
+1254722770.692786 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717508.883051 x509_certificate
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+1254722770.692786 file_new
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=<uninitialized>, u2_events=<uninitialized>]
 
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
-
-1170717508.883051 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
-
-1170717508.883051 x509_extension
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
-
-1170717508.883051 file_hash
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
-
-1170717508.883051 file_hash
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
-
-1170717508.883051 file_state_remove
-                  [0] f: fa_file         = [id=FpMjNF4snD7UDqI5sk, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717508.515696, duration=0.367355, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICjhGID4nQcgTWjvg4c^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717508.883051, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-
-1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717511.541455 new_connection
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717511.541455, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717511.722589 connection_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1170717511.541455, duration=0.181134, service={^J^J}, addl=, hot=0, history=Sh, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717511.722913 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] atype: enum        = Analyzer::ANALYZER_SSL
-                  [2] aid: count         = 11
-
-1170717511.722913 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 2486407.0
-                  [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
-                  [4] session_id: string = \x9eQ\xca\xef@\xad\x85\xf9\xf0=\xbb\x8c\x1f\xdc\x866!\x80\x8c1^Rr\xe1^BB\xcb@k\xf9^W\xbc\xd9
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
-
-1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717519.0
-                  [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
-                  [4] session_id: string = /\xaa(\x8eH\x1b\x1fO^GK^Z\xd9\x91\xa1T\xbc\x9c/^Q^R\xc3NY;\x8e^N\xd2\xec\xa6=\xc7\xb0
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
-
-1170717511.909717 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692786 file_over_new_connection
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717511.909717 file_new
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
-
-1170717511.909717 file_over_new_connection
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692804 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717511.909717 x509_certificate
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+1254722770.692804 mime_end_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]
+1254722770.692804 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
 
-1170717511.909717 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
+1254722770.692804 file_state_remove
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1918, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]
-
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]
-
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]
-
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]
-
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]
-
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]
-
-1170717511.909717 file_hash
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 2c322ae2b7fe91391345e070b63668978bb1c9da
-
-1170717511.909717 file_hash
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 38a0a008a978591ccbe41f50a174751a
-
-1170717511.909717 file_state_remove
-                  [0] f: fa_file         = [id=FQXAWgI2FB5STbrff, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^D|0\x82^C\xe5\xa0^C^B^A^B^B^P^D\xa7\x81^V\xf0^C(;\xda+\x84b^D\x9f\x9e\xcb0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x1e^W^M061114000000Z^W^M071114235959Z0\x81\xc01^K0^I^F^CU^D^F^S^BDE1^O0^M^F^CU^D^H^S^FBayern1^Q0^O^F^CU^D^G^T^HMuenchen1705^F^CU^D^J^T.AGIS Allianz Dresdner Informationssysteme GmbH1301^F^CU^D^K^T*Terms of use at www.verisign.com/rpa (c)001\x1f0\x1d^F^CU^D^C^T^Vwww.dresdner-privat.de0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xeb\xa8t~\xfb\xe3\xb4\xea\xbe\x8b\x1c=\xed\xea\x86^DbQ\xe0*Z\x9e\x86o\x98\xcb\xbc\xc5\xed\xc5\xc8\xcaV\x9dL\x92X\xe1k^So\xbc\xb7\xe5.\x98@\xf7\x8f\xd6\xa3\xc0^J\xabFR\x1b8\xfc^E \xe7\x80\xee\xc6]\xd5\xbb^C\xfc\xc5\x83\xba\x9ag^H\xfd,\xba\xa3^H\x94\xf0\xb3\x1f^V(\xf6^Ef[\xbf^?\xa8Y\xfa\xbe\x99k6b\xb8n\xc6\x83GSc^OZ\xb4Q\xc1\x88\xa8U\xb9\xd41m=*J\x95^J\xd1{\x87^B^C^A\0^A\xa3\x82^Ay0\x82^Au0^I^F^CU\x1d^S^D^B0\00^K^F^CU\x1d^O^D^D^C^B^E\xa00F^F^CU\x1d\x1f^D?0=0;\xa09\xa07\x865http://crl.verisign.com/Class3InternationalServer.crl0D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^W^C0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/rpa0(^F^CU\x1d%^D!0\x1f^F^I`\x86H^A\x86\xf8B^D^A^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B04^F^H+^F^A^E^E^G^A^A^D(0&0$^F^H+^F^A^E^E^G0^A\x86^Xhttp://ocsp.verisign.com0m^F^H+^F^A^E^E^G^A^L^Da0_\xa1]\xa0[0Y0W0U^V^Iimage/gif0!0\x1f0^G^F^E+^N^C^B^Z^D^T\x8f\xe5\xd3^Z\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H^X,{^Y.0%^V#http://logo.verisign.com/vslogo.gif0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0/s\xe2o\xc1\x9e#~YP\x89\x95xo\xe9^D\xbd\x98TS`\xec^HR\xd2^J)\x92\x9am\xaa\xd5\xb1g\xc1b\xde\xc9^XNW=i\x9c\xb2^Cf\x92^C\xbb\xe8M\xc5\x98\xd4/B\xd9\xb6\xd2\xe0\x97^PXv\xcf\xe7\xd6\xa7\xcc\xbb\xdb%\xeeB]\xcb\xf0t\xab\xd2T\xe5\xe8\xbaQ^O\xa4\xc3>4\xfaR\xf2\xa0\xe6z\xf4\x8f\xdcvB\xbd=\xfcx\xc0\xb7\xeb^-\x1f\xc5\xa0^\xdf\xa0^Q\x87\xf8\xc3X^P\xc8y(\xf8\xe4, mime_type=binary, info=[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], u2_events=<uninitialized>]
-
-1170717511.909717 get_file_handle
-                  [0] tag: enum          = Analyzer::ANALYZER_SSL
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=1, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692804 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717511.909717 file_new
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=<uninitialized>, u2_events=<uninitialized>]
+1254722770.692804 mime_end_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717511.909717 file_over_new_connection
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SSL, depth=0, analyzers={^J^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722770.692804 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
+
+1254722770.692804 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
-1170717511.909717 x509_certificate
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] cert_ref: opaque of x509 = <no value description>
-                  [2] cert: X509::Certificate = [version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>]
+1254722770.692804 mime_begin_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]
+1254722770.692804 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;^Iname="NEWS.txt"]
 
-1170717511.909717 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
+1254722770.692804 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]
+1254722770.692804 mime_one_header
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;^Ifilename="NEWS.txt"]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]
+1254722770.692823 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]
+1254722770.692823 file_new
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=<uninitialized>, u2_events=<uninitialized>]
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+1254722770.692823 file_over_new_connection
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717511.909717 x509_extension
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] ext: X509::Extension = [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]
+1254722770.692823 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717511.909717 file_hash
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = de0f3a63cad13841e9b62c94502cb189d7661e49
+1254722770.695115 new_connection
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
-1170717511.909717 file_hash
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 81c888530afcad916fbe71d9417bf10c
+1254722771.469814 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=7410, state=4, num_pkts=17, num_bytes_ip=12486, flow_label=0], resp=[size=462, state=4, num_pkts=12, num_bytes_ip=950, flow_label=0], start_time=1254722767.529046, duration=3.940768, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717511.909717 file_state_remove
-                  [0] f: fa_file         = [id=FUmSiM3TCtsyMGhcd, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={^J^I[[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp]] = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=2164, state=4, num_pkts=3, num_bytes_ip=1616, flow_label=0], start_time=1170717511.541455, duration=0.368262, service={^J^I^ISSL^J^I}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I^I194.127.84.106^J^I}, rx_hosts={^J^I^I192.150.187.164^J^I}, conn_uids={^J^I^ICCvvfg3TEfuqmmG4bh^J^I}, source=SSL, depth=0, analyzers={^J^I^IX509,^J^I^IMD5,^J^I^ISHA1^J^I}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1170717511.909717, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=0\x82^C\x860\x82^B\xef\xa0^C^B^A^B^B^Px\xeeH\xde^X[ q\xc9\xc9\xc3\xb5\x1d{\xdd\xc10^M^F^I*\x86H\x86\xf7^M^A^A^E^E\00_1^K0^I^F^CU^D^F^S^BUS1^W0^U^F^CU^D^J^S^NVeriSign, Inc.1705^F^CU^D^K^S.Class 3 Public Primary Certification Authority0\x1e^W^M970417000000Z^W^M111024235959Z0\x81\xba1\x1f0\x1d^F^CU^D^J^S^VVeriSign Trust Network1^W0^U^F^CU^D^K^S^NVeriSign, Inc.1301^F^CU^D^K^S*VeriSign International Server CA - Class 31I0G^F^CU^D^K^S@www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign0\x81\x9f0^M^F^I*\x86H\x86\xf7^M^A^A^A^E\0^C\x81\x8d\00\x81\x89^B\x81\x81\0\xd8\x82\x80\xe8\xd6^Y^B}\x1f\x85^X9%\xa2e+\xe1\xbf\xd4^E\xd3\xbc\xe66;\xaa\xf0Ll[\xb6\xe7\xaa<sEU\xb2\xf1\xbd\xea\x97B\xed\x9a4^J^U\xd4\xa9\\xf5@%\xdd\xd9^G\xc12\xb2ul\xc4\xca\xbb\xa3\xfeV'qC\xaac\xf50>\x93(\xe5\xfa\xf1^I;\xf3\xb7MN9\xf7\IZ\xb8\xc1\x1d\xd3\xb2\x8a\xfep0\x95B\xcb\xfe+Q\x8bZ<:\xf9"O\x90\xb2^B\xa7S\x9cO4\xe7\xab^D\xb2{o^B^C^A\0^A\xa3\x81\xe60\x81\xe30^O^F^CU\x1d^S^D^H0^F^A^A\xff^B^A\00D^F^CU\x1d ^D=0;09^F^K`\x86H^A\x86\xf8E^A^G^A^A0*0(^F^H+^F^A^E^E^G^B^A^V\x1chttps://www.verisign.com/CPS04^F^CU\x1d\x1f^D-0+0)\xa0'\xa0%\x86#http://crl.verisign.com/pca3-g2.crl04^F^CU\x1d%^D-0+^F^H+^F^A^E^E^G^C^A^F^H+^F^A^E^E^G^C^B^F^I`\x86H^A\x86\xf8B^D^A^F^J`\x86H^A\x86\xf8E^A^H^A0^K^F^CU\x1d^O^D^D^C^B^A^F0^Q^F^I`\x86H^A\x86\xf8B^A^A^D^D^C^B^A^F0^M^F^I*\x86H\x86\xf7^M^A^A^E^E\0^C\x81\x81\0#]\xee\xa6$^E\xfdv\xd3j^Z\xd6\xbaF^F\xaaj^O^C\x90f\xb2\xb0\xa6\xc2\x9e\xc9\x1e\xa3US\xaf>E\xfd\xdc\x8c'\xddS8^I\xbb|K+\xba\x95J\xfepN\x1bi\xd6<\xf7O^G\xc5\xf2^WZL\xa2\x8f\xac^K\x8a^F\xdb\xb9\xd4k\xc5\x1dX\xda^WR\xe3!\xf1\xd2\xd7Z\xd5\xe5\xabY{!z\x86j\xd4\xfe^W^Q:S^M\x9c`\xa0J\xd9^\xe4\x1d^L)\xaa^S^Ge\x86\x1f\xbf\xb4\xc9\x82S\x9c,^B\x8f#, mime_type=binary, info=[ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>], u2_events=<uninitialized>]
+1254722771.494181 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722771.494181 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=8862, state=4, num_pkts=18, num_bytes_ip=13978, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965135, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717528.851698 ChecksumOffloading::check
-1170717528.851698 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=6012, state=5, num_pkts=61, num_bytes_ip=9160, flow_label=0], resp=[size=121583, state=5, num_pkts=101, num_bytes_ip=126847, flow_label=0], start_time=1170717508.515696, duration=3.001729, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFRfR, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722771.494199 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=10314, state=4, num_pkts=19, num_bytes_ip=15470, flow_label=0], resp=[size=462, state=4, num_pkts=13, num_bytes_ip=990, flow_label=0], start_time=1254722767.529046, duration=3.965153, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717531.882302 net_done
-                  [0] t: time            = 1170717531.882302
+1254722771.834628 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=11766, state=4, num_pkts=20, num_bytes_ip=16962, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305582, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717531.882302 filter_change_tracking
-1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=4879, state=5, num_pkts=32, num_bytes_ip=6555, flow_label=0], resp=[size=32965, state=6, num_pkts=36, num_bytes_ip=34813, flow_label=0], start_time=1170717505.366729, duration=23.667015, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFr, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722771.834655 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717531.882302 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=842, state=5, num_pkts=11, num_bytes_ip=1414, flow_label=0], resp=[size=3613, state=5, num_pkts=11, num_bytes_ip=4197, flow_label=0], start_time=1170717511.541455, duration=20.340781, service={^J^ISSL^J}, addl=, hot=0, history=ShADadFfR, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+1254722771.834655 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=13218, state=4, num_pkts=21, num_bytes_ip=18454, flow_label=0], resp=[size=462, state=4, num_pkts=14, num_bytes_ip=1030, flow_label=0], start_time=1254722767.529046, duration=4.305609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
 
-1170717531.882302 bro_done
-1170717531.882302 ChecksumOffloading::check
+1254722771.858316 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14670, state=4, num_pkts=22, num_bytes_ip=19946, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.32927, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1254722771.858334 mime_end_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
+
+1254722771.858334 file_state_remove
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10823, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1254722771.858334 mime_end_entity
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = T
+
+1254722771.858334 get_file_handle
+                  [0] tag: enum          = Analyzer::ANALYZER_SMTP
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [2] is_orig: bool      = F
+
+1254722771.858334 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+1254722772.248789 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = OK id=1Mugho-0003Dg-Un
+                  [5] cont_resp: bool    = F
+
+1254722774.763825 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = QUIT
+                  [3] arg: string        = 
+
+1254722775.105467 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 221
+                  [3] cmd: string        = QUIT
+                  [4] msg: string        = xc90.websitewelcome.com closing connection
+                  [5] cont_resp: bool    = F
+
+1254722776.690444 new_connection
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722776.690444 net_done
+                  [0] t: time            = 1254722776.690444
+
+1254722776.690444 ChecksumOffloading::check
+1254722776.690444 connection_state_remove
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0], start_time=1254722767.49206, duration=0.034025, service={^J^IDNS^J}, addl=, hot=0, history=Dd, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={^J^J}, pending_replies={^J^J}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722776.690444 filter_change_tracking
+1254722776.690444 connection_state_remove
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0], start_time=1254722767.529046, duration=7.576953, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaFf, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722776.690444 connection_state_remove
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722776.690444, duration=0.0, service={^J^J}, addl=, hot=0, history=D, uid=CsRx2w45OKnoww6xl4, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722776.690444 connection_state_remove
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.001519, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+
+1254722776.690444 bro_done
+1254722776.690444 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
new file mode 100644
index 0000000000..4e01996097
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -0,0 +1,190 @@
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 
+                  [5] cont_resp: bool    = T
+
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = We do not authorize the use of this system to transport unsolicited, 
+                  [5] cont_resp: bool    = T
+
+1254722768.219663 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0], start_time=1254722767.529046, duration=0.690617, service={^J^J}, addl=, hot=0, history=ShAd, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 220
+                  [3] cmd: string        = >
+                  [4] msg: string        = and/or bulk e-mail.
+                  [5] cont_resp: bool    = F
+
+1254722768.224809 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0], start_time=1254722767.529046, duration=0.695763, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = EHLO
+                  [3] arg: string        = GP
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = xc90.websitewelcome.com Hello GP [122.162.143.157]
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = SIZE 52428800
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = PIPELINING
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = AUTH PLAIN LOGIN
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = STARTTLS
+                  [5] cont_resp: bool    = T
+
+1254722768.566183 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0], start_time=1254722767.529046, duration=1.037137, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = EHLO
+                  [4] msg: string        = HELP
+                  [5] cont_resp: bool    = F
+
+1254722768.568729 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.039683, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = AUTH
+                  [3] arg: string        = LOGIN
+
+1254722768.911081 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0], start_time=1254722767.529046, duration=1.382035, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH
+                  [4] msg: string        = VXNlcm5hbWU6
+                  [5] cont_resp: bool    = F
+
+1254722768.911655 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.382609, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
+
+1254722769.253544 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0], start_time=1254722767.529046, duration=1.724498, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 334
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = UGFzc3dvcmQ6
+                  [5] cont_resp: bool    = F
+
+1254722769.254118 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=1.725072, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = **
+                  [3] arg: string        = cHVuamFiQDEyMw==
+
+1254722769.613798 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0], start_time=1254722767.529046, duration=2.084752, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 235
+                  [3] cmd: string        = AUTH_ANSWER
+                  [4] msg: string        = Authentication succeeded
+                  [5] cont_resp: bool    = F
+
+1254722769.614414 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.085368, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = MAIL
+                  [3] arg: string        = FROM: <gurpartap@patriots.in>
+
+1254722769.956765 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0], start_time=1254722767.529046, duration=2.427719, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = MAIL
+                  [4] msg: string        = OK
+                  [5] cont_resp: bool    = F
+
+1254722769.957250 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.428204, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = RCPT
+                  [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
+
+1254722770.319708 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0], start_time=1254722767.529046, duration=2.790662, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = RCPT
+                  [4] msg: string        = Accepted
+                  [5] cont_resp: bool    = F
+
+1254722770.320203 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=2.791157, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = DATA
+                  [3] arg: string        = 
+
+1254722770.661679 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0], start_time=1254722767.529046, duration=3.132633, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 354
+                  [3] cmd: string        = DATA
+                  [4] msg: string        = Enter message, ending with "." on a line by itself
+                  [5] cont_resp: bool    = F
+
+1254722771.858334 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = .
+                  [3] arg: string        = .
+
+1254722772.248789 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0], start_time=1254722767.529046, duration=4.719743, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 250
+                  [3] cmd: string        = .
+                  [4] msg: string        = OK id=1Mugho-0003Dg-Un
+                  [5] cont_resp: bool    = F
+
+1254722774.763825 smtp_request
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.234779, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = T
+                  [2] command: string    = QUIT
+                  [3] arg: string        = 
+
+1254722775.105467 smtp_reply
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0], start_time=1254722767.529046, duration=7.576421, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDaF, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722772.248789, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] is_orig: bool      = F
+                  [2] code: count        = 221
+                  [3] cmd: string        = QUIT
+                  [4] msg: string        = xc90.websitewelcome.com closing connection
+                  [5] cont_resp: bool    = F
+
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
deleted file mode 100644
index 1cab8fa5f2..0000000000
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/ssl-events.log
+++ /dev/null
@@ -1,60 +0,0 @@
-1170717505.549109 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717505.366729, duration=0.18238, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 2
-                  [2] possible_ts: time  = 0.0
-                  [3] client_random: string = \xe6\xb8\xef\xdf\x91\xcfD\xf7\xea\xe4<\x839\x8f\xdc\xb2
-                  [4] session_id: string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
-
-1170717505.734145 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=87, state=4, num_pkts=3, num_bytes_ip=255, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717505.366729, duration=0.367416, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717513.0
-                  [3] server_random: string = +e\x8dQ\x83\xbb\xae\xdb\xf3^\x8f^Ro\xf9&\xb1Iy\xcdp=$*\xea\x99j_\xda
-                  [4] session_id: string = \xa8\xc1\xc5h^Y$\xe8^J2\xa1]^^? \xbc^?Q>V\xb2^U^C\x9d^MU\xde\xfd\xa5\xa3 \xc0
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
-
-1170717505.934612 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=269, state=4, num_pkts=5, num_bytes_ip=541, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717505.366729, duration=0.567883, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CXWv6p3arKYeMETxOg, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717505.549109, uid=CXWv6p3arKYeMETxOg, id=[orig_h=192.150.187.164, orig_p=58868/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=3, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717505.735416, fuid=FeCwNK3rzqPnZ7eBQ5, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FeCwNK3rzqPnZ7eBQ5, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717505.735416, fuid=FfqS7r3rymnsSKq0m2, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICXWv6p3arKYeMETxOg^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717505.735416, id=FfqS7r3rymnsSKq0m2, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FeCwNK3rzqPnZ7eBQ5, FfqS7r3rymnsSKq0m2], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717508.697180 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717508.515696, duration=0.181484, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 2486404.0
-                  [3] client_random: string = \xa8\xa2\xabs\x9ad\xab\xb4\xe6\x8c\xfc\xfc4p\xffbi\xb1\xa8hXP\x1f\xbb\xd12~\xd8
-                  [4] session_id: string = \xa8\xc1\xc5h^Y$\xe8^J2\xa1]^^? \xbc^?Q>V\xb2^U^C\x9d^MU\xde\xfd\xa5\xa3 \xc0
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
-
-1170717508.881857 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717508.515696, duration=0.366161, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717516.0
-                  [3] server_random: string = ^O\xac^?x#X|hC\x8c\x87\x87e3\xaf{^K\xaa*\x8f^Px\xeb\x8d^X"G\xe9
-                  [4] session_id: string = \x9eQ\xca\xef@\xad\x85\xf9\xf0=\xbb\x8c\x1f\xdc\x866!\x80\x8c1^Rr\xe1^BB\xcb@k\xf9^W\xbc\xd9
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
-
-1170717509.082241 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717508.515696, duration=0.566545, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717508.69718, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=192.150.187.164, orig_p=58869/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=a8c1c5681924e80a32a15d5e7f20bc5e3f513e56b215039d0d55defda5a320c0, last_alert=<uninitialized>, analyzer_id=7, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717508.883051, fuid=FjkLnG4s34DVZlaBNc, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FjkLnG4s34DVZlaBNc, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717508.883051, fuid=FpMjNF4snD7UDqI5sk, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717508.883051, id=FpMjNF4snD7UDqI5sk, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FjkLnG4s34DVZlaBNc, FpMjNF4snD7UDqI5sk], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
-1170717511.722913 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0], start_time=1170717511.541455, duration=0.181458, service={^J^ISSL^J}, addl=, hot=0, history=ShAD, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=<uninitialized>, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 2486407.0
-                  [3] client_random: string = $^F^D\xbe/VD\xc8\xdf\xd2\xe5\x1c\xc2\xb3\xa3^Aq\xbdX\x85>\xd7\xc6\xe3\xfc\xd1\x88F
-                  [4] session_id: string = \x9eQ\xca\xef@\xad\x85\xf9\xf0=\xbb\x8c\x1f\xdc\x866!\x80\x8c1^Rr\xe1^BB\xcb@k\xf9^W\xbc\xd9
-                  [5] ciphers: vector of count = [57, 56, 53, 51, 50, 4, 5, 47, 22, 19, 65279, 10, 21, 18, 65278, 9, 100, 98, 3, 6]
-
-1170717511.908619 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=120, state=4, num_pkts=3, num_bytes_ip=288, flow_label=0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0], start_time=1170717511.541455, duration=0.367164, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=<uninitialized>, cipher=<uninitialized>, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-                  [1] version: count     = 769
-                  [2] possible_ts: time  = 1170717519.0
-                  [3] server_random: string = \xfd\x1b\x8c^S^H\xa2\xca\xac^A^O\xcbv\xe9\xbd!\x98}\x89|\xb6\xc0(\xcd\xb3^WmY^D
-                  [4] session_id: string = /\xaa(\x8eH\x1b\x1fO^GK^Z\xd9\x91\xa1T\xbc\x9c/^Q^R\xc3NY;\x8e^N\xd2\xec\xa6=\xc7\xb0
-                  [5] cipher: count      = 4
-                  [6] comp_method: count = 0
-
-1170717512.108799 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], orig=[size=302, state=4, num_pkts=5, num_bytes_ip=574, flow_label=0], resp=[size=2207, state=4, num_pkts=5, num_bytes_ip=2436, flow_label=0], start_time=1170717511.541455, duration=0.567344, service={^J^ISSL^J}, addl=, hot=0, history=ShADad, uid=CCvvfg3TEfuqmmG4bh, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1170717511.722913, uid=CCvvfg3TEfuqmmG4bh, id=[orig_h=192.150.187.164, orig_p=58870/tcp, resp_h=194.127.84.106, resp_p=443/tcp], version=TLSv10, cipher=TLS_RSA_WITH_RC4_128_MD5, server_name=<uninitialized>, session_id=9e51caef40ad85f9f03dbb8c1fdc863621808c311272e10242cb406bf917bcd9, last_alert=<uninitialized>, analyzer_id=11, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1170717511.909717, fuid=FQXAWgI2FB5STbrff, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1152, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=38a0a008a978591ccbe41f50a174751a, sha1=2c322ae2b7fe91391345e070b63668978bb1c9da, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FQXAWgI2FB5STbrff, certificate=[version=2, serial=04A78116F003283BDA2B8462049F9ECB, subject=CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE, issuer=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, not_valid_before=1163462400.0, not_valid_after=1195084799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:FALSE], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Digital Signature, Key Encipherment], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/Class3InternationalServer.crl^J], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.23.3^J  CPS: https://www.verisign.com/rpa^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=Netscape Server Gated Crypto, TLS Web Server Authentication, TLS Web Client Authentication], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.verisign.com^J], [name=1.3.6.1.5.5.7.1.12, short_name=UNDEF, oid=1.3.6.1.5.5.7.1.12, critical=F, value=0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>], [ts=1170717511.909717, fuid=FUmSiM3TCtsyMGhcd, tx_hosts={^J^I194.127.84.106^J}, rx_hosts={^J^I192.150.187.164^J}, conn_uids={^J^ICCvvfg3TEfuqmmG4bh^J}, source=SSL, depth=0, analyzers={^J^IX509,^J^IMD5,^J^ISHA1^J}, mime_type=binary, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=906, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=81c888530afcad916fbe71d9417bf10c, sha1=de0f3a63cad13841e9b62c94502cb189d7661e49, sha256=<uninitialized>, x509=[ts=1170717511.909717, id=FUmSiM3TCtsyMGhcd, certificate=[version=2, serial=78EE48DE185B2071C9C9C3B51D7BDDC1, subject=OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\, Inc.,O=VeriSign Trust Network, issuer=OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US, not_valid_before=861235200.0, not_valid_after=1319500799.0, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=1024, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=F, value=CA:TRUE, pathlen:0], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.1.1^J  CPS: https://www.verisign.com/CPS^J], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=^JFull Name:^J  URI:http://crl.verisign.com/pca3-g2.crl^J], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, 2.16.840.1.113733.1.8.1], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign], [name=Netscape Cert Type, short_name=nsCertType, oid=2.16.840.1.113730.1.1, critical=F, value=SSL CA, S/MIME CA]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>]], cert_chain_fuids=[FQXAWgI2FB5STbrff, FUmSiM3TCtsyMGhcd], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=2, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
-
diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.bro
new file mode 100644
index 0000000000..5dd1e97f4e
--- /dev/null
+++ b/testing/btest/core/leaks/x509_verify.bro
@@ -0,0 +1,27 @@
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+
+@load base/protocols/ssl
+
+event ssl_established(c: connection) &priority=3
+	{
+	local chain: vector of opaque of x509 = vector();
+	for ( i in c$ssl$cert_chain )
+		{
+		chain[i] = c$ssl$cert_chain[i]$x509$handle;
+		}
+
+	local result = x509_verify(chain, SSL::root_certs);
+	print fmt("Validation result: %s", result$result_string);
+	if ( result$result != 0 ) # not ok
+		return;
+
+	print "Resulting chain:";
+	for ( i in result$chain_certs )
+		{
+		local cert = result$chain_certs[i];
+		local certinfo = x509_parse(cert);
+		local sha1 = sha1_hash(x509_get_certificate_string(cert));
+		print fmt("Fingerprint: %s, Subject: %s", sha1, certinfo$subject);
+		}
+	}
diff --git a/testing/btest/scripts/policy/misc/dump-events.bro b/testing/btest/scripts/policy/misc/dump-events.bro
index 59834b6854..49d3a47aee 100644
--- a/testing/btest/scripts/policy/misc/dump-events.bro
+++ b/testing/btest/scripts/policy/misc/dump-events.bro
@@ -1,7 +1,7 @@
-# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro >all-events.log
-# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
-# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace policy/misc/dump-events.bro DumpEvents::include=/ssl_/ >ssl-events.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro >all-events.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include=/smtp_/ >smtp-events.log
 # 
 # @TEST-EXEC: btest-diff all-events.log
 # @TEST-EXEC: btest-diff all-events-no-args.log
-# @TEST-EXEC: btest-diff ssl-events.log
+# @TEST-EXEC: btest-diff smtp-events.log

From d42d9bbc3fda1b3424cf715b590c1c78874c53d6 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 16:10:59 -0700
Subject: [PATCH 102/220] (hopefully) last change -> return real opaque vec
 instead of any_vec

---
 src/file_analysis/analyzer/x509/functions.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index e20028cc60..df0832616d 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -209,7 +209,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			}
 		
 		int num_certs = sk_X509_num(chain);
-		chainVector = new VectorVal(internal_type("any_vec")->AsVectorType());
+		chainVector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
 
 		for ( int i = 0; i < num_certs; i++ ) 
 			{

From 285de1390a6c513f95e81e88ca4ab405ed08ca21 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 13 Mar 2014 16:20:49 -0700
Subject: [PATCH 103/220] Forgot the preamble for the new leak test

---
 testing/btest/core/leaks/x509_verify.bro | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.bro
index 5dd1e97f4e..426a95d2c2 100644
--- a/testing/btest/core/leaks/x509_verify.bro
+++ b/testing/btest/core/leaks/x509_verify.bro
@@ -1,3 +1,9 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/tls-expired-cert.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 15
 

From 00755f1e40c7ef4543e4dc9f2d570d63e33f6cdf Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 13 Mar 2014 16:51:21 -0700
Subject: [PATCH 104/220] Fixing (very unlikely) double delete in HTTP analyzer
 when decapsulating CONNECTs.

BIT-1149 #closed
---
 src/analyzer/protocol/http/HTTP.cc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 0d49bb037f..f676643b7c 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1085,11 +1085,8 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 						}
 
 					else
-						{
-						// Shouldn't really happen.
-						delete pia;
+						// AddChildAnalyzer() will have deleted PIA.
 						pia = 0;
-						}
 					}
 
 				InitHTTPMessage(content_line,

From 17f9d0a47d5f348ea1631a0372debb2034b78173 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 13 Mar 2014 18:02:41 -0700
Subject: [PATCH 105/220] Fixing compiler error.

Hopefully ...
---
 src/threading/formatters/JSON.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 7f3321ca96..a47de94c0f 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -8,6 +8,12 @@
 
 #include "./JSON.h"
 
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS
+#endif
+
+#include <stdint.h>
+
 using namespace threading::formatter;
 
 JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t)

From 8b241947d665e8791d53ba4f1d1d633566628e37 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 14 Mar 2014 08:45:36 -0700
Subject: [PATCH 106/220] Fixing a few cases of undefined behaviour introduced
 by recent formatter work.

Thanks, Coverity!
---
 src/input/readers/Ascii.cc        |  1 +
 src/logging/writers/Ascii.cc      |  1 +
 src/threading/Formatter.h         |  2 +-
 src/threading/formatters/Ascii.cc | 26 +++++++++++++++-----------
 src/threading/formatters/Ascii.h  |  2 +-
 src/threading/formatters/JSON.cc  |  2 +-
 src/threading/formatters/JSON.h   |  2 +-
 7 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/src/input/readers/Ascii.cc b/src/input/readers/Ascii.cc
index 9bef57c264..a79121e80a 100644
--- a/src/input/readers/Ascii.cc
+++ b/src/input/readers/Ascii.cc
@@ -51,6 +51,7 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	file = 0;
 	mtime = 0;
+	formatter = 0;
 	}
 
 Ascii::~Ascii()
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index 9b95639843..a04b30cbae 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -20,6 +20,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	fd = 0;
 	ascii_done = false;
 	tsv = false;
+	formatter = 0;
 	}
 
 Ascii::~Ascii()
diff --git a/src/threading/Formatter.h b/src/threading/Formatter.h
index 9f69a3879a..ebdf0c1a87 100644
--- a/src/threading/Formatter.h
+++ b/src/threading/Formatter.h
@@ -76,7 +76,7 @@ public:
 	 * @return The new value, or null on error. Errors must also be
 	 * flagged via the thread.
 	 */
-	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const = 0;
+	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const = 0;
 
 	/**
 	 * Convert an IP address into a string.
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index c400f8a7ad..3120549f13 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -201,7 +201,7 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 	}
 
 
-threading::Value* Ascii::ParseValue(string s, string name, TypeTag type, TypeTag subtype) const
+threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype) const
 	{
 	if ( s.compare(separators.unset_field) == 0 )  // field is not set...
 		return new threading::Value(type, false);
@@ -214,10 +214,12 @@ threading::Value* Ascii::ParseValue(string s, string name, TypeTag type, TypeTag
 	switch ( type ) {
 	case TYPE_ENUM:
 	case TYPE_STRING:
-		s = get_unescaped_string(s);
-		val->val.string_val.length = s.size();
-		val->val.string_val.data = copy_string(s.c_str());
+		{
+		string unescaped = get_unescaped_string(s);
+		val->val.string_val.length = unescaped.size();
+		val->val.string_val.data = copy_string(unescaped.c_str());
 		break;
+		}
 
 	case TYPE_BOOL:
 		if ( s == "T" )
@@ -263,21 +265,21 @@ threading::Value* Ascii::ParseValue(string s, string name, TypeTag type, TypeTag
 
 	case TYPE_SUBNET:
 		{
-		s = get_unescaped_string(s);
-		size_t pos = s.find("/");
-		if ( pos == s.npos )
+		string unescaped = get_unescaped_string(s);
+		size_t pos = unescaped.find("/");
+		if ( pos == unescaped.npos )
 			{
 			GetThread()->Error(GetThread()->Fmt("Invalid value for subnet: %s", start));
 			goto parse_error;
 			}
 
-		string width_str = s.substr(pos + 1);
+		string width_str = unescaped.substr(pos + 1);
 		uint8_t width = (uint8_t) strtol(width_str.c_str(), &end, 10);
 
 		if ( CheckNumberError(start, end) )
 			goto parse_error;
 
-		string addr = s.substr(0, pos);
+		string addr = unescaped.substr(0, pos);
 
 		val->val.subnet_val.prefix = ParseAddr(addr);
 		val->val.subnet_val.length = width;
@@ -285,9 +287,11 @@ threading::Value* Ascii::ParseValue(string s, string name, TypeTag type, TypeTag
 		}
 
 	case TYPE_ADDR:
-		s = get_unescaped_string(s);
-		val->val.addr_val = ParseAddr(s);
+		{
+		string unescaped = get_unescaped_string(s);
+		val->val.addr_val = ParseAddr(unescaped);
 		break;
+		}
 
 	case TYPE_TABLE:
 	case TYPE_VECTOR:
diff --git a/src/threading/formatters/Ascii.h b/src/threading/formatters/Ascii.h
index ab5e29c1f0..d02b6a89c7 100644
--- a/src/threading/formatters/Ascii.h
+++ b/src/threading/formatters/Ascii.h
@@ -50,7 +50,7 @@ public:
 	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const;
 	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
 	                      threading::Value** vals) const;
-	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
 
 private:
 	bool CheckNumberError(const char* start, const char* end) const;
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index a47de94c0f..17e8808e98 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -212,7 +212,7 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const
 	return true;
 	}
 
-threading::Value* JSON::ParseValue(string s, string name, TypeTag type, TypeTag subtype) const
+threading::Value* JSON::ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype) const
 	{
 	GetThread()->Error("JSON formatter does not support parsing yet.");
 	return NULL;
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index 86f3472125..d7859f83fb 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -25,7 +25,7 @@ public:
 	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const;
 	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
 	                      threading::Value** vals) const;
-	virtual threading::Value* ParseValue(string s, string name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
 
 private:
 	TimeFormat timestamps;

From dbe5dfb3c3ae0843ae6cfd30ce73bae7364bae79 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 14 Mar 2014 12:01:09 -0500
Subject: [PATCH 107/220] Derive results of DNS lookups from from input when in
 BRO_DNS_FAKE mode.

Addresses BIT-1134.
---
 src/DNS_Mgr.cc                           | 31 ++++++++++++++++--------
 src/DNS_Mgr.h                            |  5 ----
 testing/btest/Baseline/core.fake_dns/out | 12 ++++-----
 3 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index aad0f71ab7..9188d61b96 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -2,6 +2,7 @@
 
 #include "config.h"
 
+#include <openssl/md5.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -385,7 +386,6 @@ DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
 			dns_mapping_altered =  0;
 
 	dm_rec = 0;
-	dns_fake_count = 0;
 
 	cache_name = dir = 0;
 
@@ -443,19 +443,30 @@ bool DNS_Mgr::Init()
 	return true;
 	}
 
-TableVal* DNS_Mgr::BuildFakeAddrResult()
+static TableVal* fake_name_lookup_result(const char* name)
 	{
+	uint32 hash[4];
+	MD5(reinterpret_cast<const u_char*>(name), strlen(name),
+	    reinterpret_cast<u_char*>(hash));
 	ListVal* hv = new ListVal(TYPE_ADDR);
-	hv->Append(new AddrVal(++dns_fake_count));
+	hv->Append(new AddrVal(hash));
 	TableVal* tv = hv->ConvertToSet();
 	Unref(hv);
 	return tv;
 	}
 
-const char* DNS_Mgr::BuildFakeNameResult()
+static const char* fake_text_lookup_result(const char* name)
 	{
-	static char tmp[32];
-	snprintf(tmp, sizeof(tmp), "fake_result_%"PRIu32, ++dns_fake_count);
+	static char tmp[32 + 256];
+	snprintf(tmp, sizeof(tmp), "fake_text_lookup_result_%s", name);
+	return tmp;
+	}
+
+static const char* fake_addr_lookup_result(const IPAddr& addr)
+	{
+	static char tmp[128];
+	snprintf(tmp, sizeof(tmp), "fake_addr_lookup_result_%s",
+	         addr.AsString().c_str());
 	return tmp;
 	}
 
@@ -468,7 +479,7 @@ TableVal* DNS_Mgr::LookupHost(const char* name)
 		Init();
 
 	if ( mode == DNS_FAKE )
-		return BuildFakeAddrResult();
+		return fake_name_lookup_result(name);
 
 	if ( mode != DNS_PRIME )
 		{
@@ -1044,7 +1055,7 @@ void DNS_Mgr::AsyncLookupAddr(const IPAddr& host, LookupCallback* callback)
 
 	if ( mode == DNS_FAKE )
 		{
-		resolve_lookup_cb(callback, BuildFakeNameResult());
+		resolve_lookup_cb(callback, fake_addr_lookup_result(host));
 		return;
 		}
 
@@ -1083,7 +1094,7 @@ void DNS_Mgr::AsyncLookupName(const string& name, LookupCallback* callback)
 
 	if ( mode == DNS_FAKE )
 		{
-		resolve_lookup_cb(callback, BuildFakeAddrResult());
+		resolve_lookup_cb(callback, fake_name_lookup_result(name.c_str()));
 		return;
 		}
 
@@ -1122,7 +1133,7 @@ void DNS_Mgr::AsyncLookupNameText(const string& name, LookupCallback* callback)
 
 	if ( mode == DNS_FAKE )
 		{
-		resolve_lookup_cb(callback, BuildFakeNameResult());
+		resolve_lookup_cb(callback, fake_text_lookup_result(name.c_str()));
 		return;
 		}
 
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index ccace3303e..7864505add 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -102,9 +102,6 @@ protected:
 
 	Val* BuildMappingVal(DNS_Mapping* dm);
 
-	TableVal* BuildFakeAddrResult();
-	const char* BuildFakeNameResult();
-
 	void AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r);
 	void CompareMappings(DNS_Mapping* prev_dm, DNS_Mapping* new_dm);
 	ListVal* AddrListDelta(ListVal* al1, ListVal* al2);
@@ -166,8 +163,6 @@ protected:
 
 	RecordType* dm_rec;
 
-	uint32 dns_fake_count;	// used to generate unique fake replies
-
 	typedef list<LookupCallback*> CallbackList;
 
 	struct AsyncRequest {
diff --git a/testing/btest/Baseline/core.fake_dns/out b/testing/btest/Baseline/core.fake_dns/out
index 5e1e72301d..48398a6c94 100644
--- a/testing/btest/Baseline/core.fake_dns/out
+++ b/testing/btest/Baseline/core.fake_dns/out
@@ -1,10 +1,10 @@
 {
-3.0.0.0,
-2.0.0.0,
-1.0.0.0
+50cd:1a9a:1837:5803:9b08:41aa:738c:3f0b,
+477c:8c51:4f4f:61ec:9981:1259:86b8:8987,
+1d59:20f4:b44b:27a8:2bd:77c4:f053:6f5a
 }
-lookup_hostname_txt, fake_result_4
+lookup_hostname_txt, fake_text_lookup_result_bro.wp.dg.cx
 lookup_hostname, {
-5.0.0.0
+5aba:bd60:3b22:7803:2dd:8d83:498e:5172
 }
-lookup_addr, fake_result_6
+lookup_addr, fake_addr_lookup_result_1.2.3.4

From 6595c7c75b00e46d9117b9d7eb5a90dfdcee1505 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 14 Mar 2014 17:26:38 -0500
Subject: [PATCH 108/220] Improve SerializationFormat's write buffer growth
 strategy.

---
 src/SerializationFormat.cc | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index eb8462521e..20392e5a73 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -13,7 +13,7 @@ SerializationFormat::SerializationFormat()
 
 SerializationFormat::~SerializationFormat()
 	{
-	delete [] output;
+	free(output);
 	}
 
 void SerializationFormat::StartRead(char* data, uint32 arg_len)
@@ -33,13 +33,13 @@ void SerializationFormat::StartWrite()
 	{
 	if ( output && output_size > INITIAL_SIZE )
 		{
-		delete [] output;
+		free(output);
 		output = 0;
 		}
 
 	if ( ! output )
 		{
-		output = new char[INITIAL_SIZE];
+		output = (char*)safe_malloc(INITIAL_SIZE);
 		output_size = INITIAL_SIZE;
 		}
 
@@ -75,11 +75,8 @@ bool SerializationFormat::WriteData(const void* b, size_t count)
 	// Increase buffer if necessary.
 	while ( output_pos + count > output_size )
 		{
-		output_size = output_pos + count + INITIAL_SIZE;
-		char* tmp = new char[output_size];
-		memcpy(tmp, output, output_pos);
-		delete [] output;
-		output = tmp;
+		output_size += output_size * 1.5;
+		output = (char*)safe_realloc(output, output_size);
 		}
 
 	memcpy(output + output_pos, b, count);

From 908b574c1823d2181cd628b11e6cd0117e2b449d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 16 Mar 2014 07:47:06 -0700
Subject: [PATCH 109/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 756eb3e5bd..f8273c9eb5 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 756eb3e5bd63a830cfb0fab3ab6a41115f02c05b
+Subproject commit f8273c9eb5db1168c21b298cd3af4f9b4b008717

From 636d25e526d899bdea072a8831d57dfeaddac175 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sun, 16 Mar 2014 22:20:26 -0700
Subject: [PATCH 110/220] Fix compile errror on freebsd - defines have to be
 moved up due to header dependencies.

---
 src/threading/formatters/JSON.cc | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 17e8808e98..17712e8d53 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -2,18 +2,17 @@
 
 #include "config.h"
 
-#include <sstream>
-#include <errno.h>
-#include <math.h>
-
-#include "./JSON.h"
-
 #ifndef __STDC_LIMIT_MACROS
 #define __STDC_LIMIT_MACROS
 #endif
 
+#include <sstream>
+#include <errno.h>
+#include <math.h>
 #include <stdint.h>
 
+#include "./JSON.h"
+
 using namespace threading::formatter;
 
 JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t)

From 66ec267b2a84df7001934e5c8bf5b5053355a333 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 17 Mar 2014 00:11:27 -0700
Subject: [PATCH 111/220] update submodules

---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index e96d95a130..14c6ee979c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit e96d95a130a572b611fe70b3c3ede2b4727aaa22
+Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58

From bf6f21041cbad6cf5f6f458f02404a7e82f63af2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 17 Mar 2014 09:18:01 -0700
Subject: [PATCH 112/220] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index e96d95a130..14c6ee979c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit e96d95a130a572b611fe70b3c3ede2b4727aaa22
+Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58

From af36915186de6e08aacf76ebe0eae6d5ff2777fe Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 17 Mar 2014 16:06:14 -0400
Subject: [PATCH 113/220] Change the standalone sumstats mode to work
 incrementally.

---
 .../base/frameworks/sumstats/non-cluster.bro  | 40 +++++++++++++++----
 .../{.stdout => standalone..stdout}           |  0
 .../base/frameworks/sumstats/basic.bro        | 10 +++--
 3 files changed, 39 insertions(+), 11 deletions(-)
 rename testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/{.stdout => standalone..stdout} (100%)

diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 97e1817598..9cf4041fc0 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -2,23 +2,47 @@
 
 module SumStats;
 
+event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable)
+	{
+	# TODO: is this the right processing group size?
+	local i = 50;
+	for ( key in data )
+		{
+		ss$epoch_result(now, key, data[key]);
+		delete data[key];
+
+		if ( |data| == 0 )
+			{
+			if ( ss?$epoch_finished )
+				ss$epoch_finished(now);
+
+			# Now that no data is left we can finish.
+			return;
+			}
+
+		i = i-1;
+		if ( i == 0 )
+			{
+			# TODO: is this the right interval?
+			schedule 0.01 secs { process_epoch_result(ss, now, data) };
+			break;
+			}
+		}
+	}
+
 event SumStats::finish_epoch(ss: SumStat)
 	{
 	if ( ss$name in result_store )
 		{
-		local now = network_time();
-
 		if ( ss?$epoch_result )
 			{
 			local data = result_store[ss$name];
-			# TODO: don't block here.
-			for ( key in data )
-				ss$epoch_result(now, key, data[key]);
+			event SumStats::process_epoch_result(ss, network_time(), data);
 			}
 
-		if ( ss?$epoch_finished )
-			ss$epoch_finished(now);
-
+		# We can reset here because we know that the reference
+		# to the data will be maintained by the process_epoch_result
+		# event.
 		reset(ss);
 		}
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/.stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
similarity index 100%
rename from testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/.stdout
rename to testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
index fb1254baca..6b153dfe39 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
@@ -1,5 +1,8 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-bg-run standalone bro %INPUT
+# @TEST-EXEC: btest-bg-wait 5
+# @TEST-EXEC: btest-diff standalone/.stdout
+
+redef exit_only_after_terminate=T;
 
 event bro_init() &priority=5
 	{
@@ -19,8 +22,9 @@ event bro_init() &priority=5
 	                  	{
 	                  	local r = result["test.metric"];
 	                  	print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique, r$hll_unique);
+	                  	terminate();
 	                  	}
-		 ]);
+	                 ])
 
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]);
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]);

From a07a40dc8637a0699ed7d5a1ae6d606b2482b402 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 17 Mar 2014 16:45:36 -0400
Subject: [PATCH 114/220] Now the standalone sumstats works even if Bro is
 shutting down by blocking.

---
 scripts/base/frameworks/sumstats/non-cluster.bro | 16 ++++++++++++++--
 .../scripts/base/frameworks/sumstats/basic.bro   |  3 +--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 9cf4041fc0..9fdd012404 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -37,9 +37,21 @@ event SumStats::finish_epoch(ss: SumStat)
 		if ( ss?$epoch_result )
 			{
 			local data = result_store[ss$name];
-			event SumStats::process_epoch_result(ss, network_time(), data);
-			}
+			local now = network_time();
+			if ( bro_is_terminating() )
+				{
+				for ( key in data )
+					ss$epoch_result(now, key, data[key]);
 
+				if ( ss?$epoch_finished )
+					ss$epoch_finished(now);
+				}
+			else
+				{
+				event SumStats::process_epoch_result(ss, now, data);
+				}
+			}
+		
 		# We can reset here because we know that the reference
 		# to the data will be maintained by the process_epoch_result
 		# event.
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
index 6b153dfe39..d2cd51cc9e 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
@@ -23,8 +23,7 @@ event bro_init() &priority=5
 	                  	local r = result["test.metric"];
 	                  	print fmt("Host: %s - num:%d - sum:%.1f - var:%.1f - avg:%.1f - max:%.1f - min:%.1f - std_dev:%.1f - unique:%d - hllunique:%d", key$host, r$num, r$sum, r$variance, r$average, r$max, r$min, r$std_dev, r$unique, r$hll_unique);
 	                  	terminate();
-	                  	}
-	                 ])
+	                  	}]);
 
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=5]);
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=22]);

From 70131b5c8418a70507b491aeeb1a746c9c7a0d99 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 18 Mar 2014 14:42:38 -0500
Subject: [PATCH 115/220] Refactor SerializationFormat::EndWrite and
 ChunkedIO::Chunk mem mgmt.

SerializationFormat::EndWrite now transfers ownership of the buffer
to the caller instead of doing a memcpy.

ChunkedIO::Chunk is no longer a POD type, hopefully the ctor/dtor
make it easier to manage its associated memory.  It also now
tracks how to deallocate its buffer (i.e. delete vs. free).
---
 src/ChunkedIO.cc           | 42 +++++++++---------------
 src/ChunkedIO.h            | 21 ++++++++++--
 src/RemoteSerializer.cc    | 65 ++++++++++++++++----------------------
 src/RemoteSerializer.h     |  3 +-
 src/SerializationFormat.cc | 13 +++++---
 src/SerializationFormat.h  | 11 ++++++-
 src/Serializer.cc          |  2 +-
 src/Type.cc                |  4 +--
 src/Val.cc                 |  3 +-
 9 files changed, 87 insertions(+), 77 deletions(-)

diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc
index 22489bbb0c..54e2e59575 100644
--- a/src/ChunkedIO.cc
+++ b/src/ChunkedIO.cc
@@ -127,12 +127,7 @@ ChunkedIOFd::~ChunkedIOFd()
 	delete [] read_buffer;
 	delete [] write_buffer;
 	safe_close(fd);
-
-	if ( partial )
-		{
-		delete [] partial->data;
-		delete partial;
-		}
+	delete partial;
 	}
 
 bool ChunkedIOFd::Write(Chunk* chunk)
@@ -169,10 +164,9 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 
 	while ( left )
 		{
-		Chunk* part = new Chunk;
+		uint32 sz = min<uint32>(BUFFER_SIZE - sizeof(uint32), left);
+		Chunk* part = new Chunk(new char[sz], sz);
 
-		part->len = min<uint32>(BUFFER_SIZE - sizeof(uint32), left);
-		part->data = new char[part->len];
 		memcpy(part->data, p, part->len);
 		left -= part->len;
 		p += part->len;
@@ -181,9 +175,7 @@ bool ChunkedIOFd::Write(Chunk* chunk)
 			return false;
 		}
 
-	delete [] chunk->data;
 	delete chunk;
-
 	return true;
 	}
 
@@ -239,7 +231,6 @@ bool ChunkedIOFd::PutIntoWriteBuffer(Chunk* chunk)
 	memcpy(write_buffer + write_len, chunk->data, len);
 	write_len += len;
 
-	delete [] chunk->data;
 	delete chunk;
 
 	if ( network_time - last_flush > 0.005 )
@@ -362,9 +353,7 @@ ChunkedIO::Chunk* ChunkedIOFd::ExtractChunk()
 
 	read_pos += sizeof(uint32);
 
-	Chunk* chunk = new Chunk;
-	chunk->len = len;
-	chunk->data = new char[real_len];
+	Chunk* chunk = new Chunk(new char[real_len], len);
 	memcpy(chunk->data, read_buffer + read_pos, real_len);
 	read_pos += real_len;
 
@@ -375,17 +364,13 @@ ChunkedIO::Chunk* ChunkedIOFd::ExtractChunk()
 
 ChunkedIO::Chunk* ChunkedIOFd::ConcatChunks(Chunk* c1, Chunk* c2)
 	{
-	Chunk* c = new Chunk;
-
-	c->len = c1->len + c2->len;
-	c->data = new char[c->len];
+	uint32 sz = c1->len + c2->len;
+	Chunk* c = new Chunk(new char[sz], sz);
 
 	memcpy(c->data, c1->data, c1->len);
 	memcpy(c->data + c1->len, c2->data, c2->len);
 
-	delete [] c1->data;
 	delete c1;
-	delete [] c2->data;
 	delete c2;
 
 	return c;
@@ -627,7 +612,6 @@ void ChunkedIOFd::Clear()
 	while ( pending_head )
 		{
 		ChunkQueue* next = pending_head->next;
-		delete [] pending_head->chunk->data;
 		delete pending_head->chunk;
 		delete pending_head;
 		pending_head = next;
@@ -946,7 +930,6 @@ bool ChunkedIOSSL::Flush()
 		--stats.pending;
 		delete q;
 
-		delete [] c->data;
 		delete c;
 
 		write_state = LEN;
@@ -1063,7 +1046,10 @@ bool ChunkedIOSSL::Read(Chunk** chunk, bool mayblock)
 		}
 
 	if ( ! read_chunk->data )
+		{
 		read_chunk->data = new char[read_chunk->len];
+		read_chunk->free_func = Chunk::free_func_delete;
+		}
 
 	if ( ! ReadData(read_chunk->data, read_chunk->len, &error) )
 		return ! error;
@@ -1123,7 +1109,6 @@ void ChunkedIOSSL::Clear()
 	while ( write_head )
 		{
 		Queue* next = write_head->next;
-		delete [] write_head->chunk->data;
 		delete write_head->chunk;
 		delete write_head;
 		write_head = next;
@@ -1231,12 +1216,13 @@ bool CompressedChunkedIO::Read(Chunk** chunk, bool may_block)
 		return false;
 		}
 
-	delete [] (*chunk)->data;
+	(*chunk)->free_func((*chunk)->data);
 
 	uncompressed_bytes_read += uncompressed_len;
 
 	(*chunk)->len = uncompressed_len;
 	(*chunk)->data = uncompressed;
+	(*chunk)->free_func = Chunk::free_func_delete;
 
 	return true;
 	}
@@ -1280,8 +1266,9 @@ bool CompressedChunkedIO::Write(Chunk* chunk)
 		memcpy(compressed, chunk->data, chunk->len);
 		*(uint32*) (compressed + chunk->len) = 0; // uncompressed_length
 
-		delete [] chunk->data;
+		chunk->free_func(chunk->data);
 		chunk->data = compressed;
+		chunk->free_func = Chunk::free_func_delete;
 		chunk->len += 4;
 
 		DBG_LOG(DBG_CHUNKEDIO, "zlib write pass-through: size=%d", chunk->len);
@@ -1322,8 +1309,9 @@ bool CompressedChunkedIO::Write(Chunk* chunk)
 
 		*(uint32*) zout.next_out = original_size; // uncompressed_length
 
-		delete [] chunk->data;
+		chunk->free_func(chunk->data);
 		chunk->data = compressed;
+		chunk->free_func = Chunk::free_func_delete;
 		chunk->len =
 			((char*) zout.next_out - compressed) + sizeof(uint32);
 
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
index 6ee79cd3c4..4984c51232 100644
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@@ -26,10 +26,27 @@ public:
 	ChunkedIO();
 	virtual ~ChunkedIO()	{ }
 
-	typedef struct {
+	struct Chunk {
+		typedef void (*FreeFunc)(char*);
+		static void free_func_free(char* data) { free(data); }
+		static void free_func_delete(char* data) { delete [] data; }
+
+		Chunk()
+		    : data(), len(), free_func(free_func_delete)
+			{ }
+
+		Chunk(char* arg_data, uint32 arg_len,
+		      FreeFunc arg_ff = free_func_delete)
+			: data(arg_data), len(arg_len), free_func(arg_ff)
+			{ }
+
+		~Chunk()
+			{ free_func(data); }
+
 		char* data;
 		uint32 len;
-	} Chunk;
+		FreeFunc free_func;
+	};
 
 	// Initialization before any I/O operation is performed. Returns false
 	// on any form of error.
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 8d07f34d38..99ec3d7c1e 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -372,10 +372,7 @@ static bool sendCMsg(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id)
 	CMsg* msg = (CMsg*) new char[sizeof(CMsg)];
 	new (msg) CMsg(msg_type, id);
 
-	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
-	c->len = sizeof(CMsg);
-	c->data = (char*) msg;
-
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk((char*)msg, sizeof(CMsg));
 	return io->Write(c);
 	}
 
@@ -386,10 +383,7 @@ static ChunkedIO::Chunk* makeSerialMsg(RemoteSerializer::PeerID id)
 	CMsg* msg = (CMsg*) new char[sizeof(CMsg)];
 	new (msg) CMsg(MSG_SERIAL, id);
 
-	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
-	c->len = sizeof(CMsg);
-	c->data = (char*) msg;
-
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk((char*)msg, sizeof(CMsg));
 	return c;
 	}
 
@@ -424,7 +418,7 @@ static bool sendToIO(ChunkedIO* io, ChunkedIO::Chunk* c)
 	}
 
 static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
-			const char* str, int len = -1)
+			const char* str, int len = -1, bool delete_with_free = false)
 	{
 	if ( ! sendCMsg(io, msg_type, id) )
 		{
@@ -432,9 +426,14 @@ static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
 		return false;
 		}
 
-	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
-	c->len = len >= 0 ? len : strlen(str) + 1;
-	c->data = const_cast<char*>(str);
+	uint32 sz = len >= 0 ? len : strlen(str) + 1;
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk(const_cast<char*>(str), sz);
+
+	if ( delete_with_free )
+		c->free_func = ChunkedIO::Chunk::free_func_free;
+	else
+		c->free_func = ChunkedIO::Chunk::free_func_delete;
+
 	return sendToIO(io, c);
 	}
 
@@ -455,10 +454,8 @@ static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
 	for ( int i = 0; i < nargs; i++ )
 		args[i] = htonl(va_arg(ap, uint32));
 
-	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
-	c->len = sizeof(uint32) * nargs;
-	c->data = (char*) args;
-
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk((char*)args,
+	                                           sizeof(uint32) * nargs);
 	return sendToIO(io, c);
 	}
 
@@ -1529,7 +1526,6 @@ bool RemoteSerializer::Poll(bool may_block)
 		current_msgtype = msg->Type();
 		current_args = 0;
 
-		delete [] c->data;
 		delete c;
 
 		switch ( current_msgtype ) {
@@ -1592,7 +1588,6 @@ bool RemoteSerializer::Poll(bool may_block)
 		msgstate = TYPE;
 		bool result = DoMessage();
 
-		delete [] current_args->data;
 		delete current_args;
 		current_args = 0;
 
@@ -1787,9 +1782,7 @@ void RemoteSerializer::PeerConnected(Peer* peer)
 	*args++ = htonl(peer->our_runtime);
 	strcpy((char*) args, peer->our_class.c_str());
 
-	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
-	c->len = len;
-	c->data = data;
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk(data, len);
 
 	if ( peer->our_class.size() )
 		Log(LogInfo, fmt("sending class \"%s\"", peer->our_class.c_str()), peer);
@@ -2568,8 +2561,8 @@ bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal*
 		goto error;
 
 	c = new ChunkedIO::Chunk;
-	c->data = 0;
 	c->len = fmt.EndWrite(&c->data);
+	c->free_func = ChunkedIO::Chunk::free_func_free;
 
 	if ( ! SendToChild(c) )
 		goto error;
@@ -2577,11 +2570,7 @@ bool RemoteSerializer::SendLogCreateWriter(PeerID peer_id, EnumVal* id, EnumVal*
 	return true;
 
 error:
-	if ( c )
-		{
-		delete [] c->data;
-		delete c;
-		}
+	delete c;
 
 	FatalError(io->Error());
 	return false;
@@ -2643,21 +2632,21 @@ bool RemoteSerializer::SendLogWrite(Peer* peer, EnumVal* id, EnumVal* writer, st
 		{
 		if ( ! FlushLogBuffer(peer) )
 			{
-			delete [] data;
+			free(data);
 			return false;
 			}
 		}
 
 	// If the data is actually larger than our complete buffer, just send it out.
 	if ( len > LOG_BUFFER_SIZE )
-		return SendToChild(MSG_LOG_WRITE, peer, data, len);
+		return SendToChild(MSG_LOG_WRITE, peer, data, len, true);
 
 	// Now we have space in the buffer, copy it into there.
 	memcpy(peer->log_buffer + peer->log_buffer_used, data, len);
 	peer->log_buffer_used += len;
 	assert(peer->log_buffer_used <= LOG_BUFFER_SIZE);
 
-	delete [] data;
+	free(data);
 
 	return true;
 
@@ -3112,14 +3101,19 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
 	return true;
 	}
 
-bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
+bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len,
+                                   bool delete_with_free)
 	{
 	DEBUG_COMM(fmt("parent: (->child) %s (#%" PRI_SOURCE_ID ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
 
-	if ( child_pid && sendToIO(io, type, peer ? peer->id : PEER_NONE, str, len) )
+	if ( child_pid && sendToIO(io, type, peer ? peer->id : PEER_NONE, str, len,
+	                           delete_with_free) )
 		return true;
 
-	delete [] str;
+	if ( delete_with_free )
+		free(str);
+	else
+		delete [] str;
 
 	if ( ! child_pid )
 		return false;
@@ -3169,7 +3163,7 @@ bool RemoteSerializer::SendToChild(ChunkedIO::Chunk* c)
 	if ( child_pid && sendToIO(io, c) )
 		return true;
 
-	delete [] c->data;
+	c->free_func(c->data);
 	c->data = 0;
 
 	if ( ! child_pid )
@@ -3545,7 +3539,6 @@ bool SocketComm::ProcessParentMessage()
 		parent_msgtype = msg->Type();
 		parent_args = 0;
 
-		delete [] c->data;
 		delete c;
 
 		switch ( parent_msgtype ) {
@@ -3600,7 +3593,6 @@ bool SocketComm::ProcessParentMessage()
 
 		if ( parent_args )
 			{
-			delete [] parent_args->data;
 			delete parent_args;
 			parent_args = 0;
 			}
@@ -3900,7 +3892,6 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 			peer->state = msg->Type();
 		}
 
-		delete [] c->data;
 		delete c;
 
 		break;
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index 5ff7fff8d6..9dbfbd9dae 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -317,7 +317,8 @@ protected:
 
 	// Communication helpers
 	bool SendCMsgToChild(char msg_type, Peer* peer);
-	bool SendToChild(char type, Peer* peer, char* str, int len = -1);
+	bool SendToChild(char type, Peer* peer, char* str, int len = -1,
+	                 bool delete_with_free = false);
 	bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
 	bool SendToChild(ChunkedIO::Chunk* c);
 
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index 20392e5a73..6a133d64e4 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -5,6 +5,8 @@
 #include "Serializer.h"
 #include "Reporter.h"
 
+const float SerializationFormat::GROWTH_FACTOR = 2.5;
+
 SerializationFormat::SerializationFormat()
     : output(), output_size(), output_pos(), input(), input_len(), input_pos(),
       bytes_written(), bytes_read()
@@ -49,9 +51,12 @@ void SerializationFormat::StartWrite()
 
 uint32 SerializationFormat::EndWrite(char** data)
 	{
-	*data = new char[output_pos];
-	memcpy(*data, output, output_pos);
-	return output_pos;
+	uint32 rval = output_pos;
+	*data = output;
+	output = 0;
+	output_size = 0;
+	output_pos = 0;
+	return rval;
 	}
 
 bool SerializationFormat::ReadData(void* b, size_t count)
@@ -75,7 +80,7 @@ bool SerializationFormat::WriteData(const void* b, size_t count)
 	// Increase buffer if necessary.
 	while ( output_pos + count > output_size )
 		{
-		output_size += output_size * 1.5;
+		output_size *= GROWTH_FACTOR;
 		output = (char*)safe_realloc(output, output_size);
 		}
 
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index f270b61bae..e652341698 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -44,7 +44,15 @@ public:
 
 	// Serialization.
 	virtual void StartWrite();
-	virtual uint32 EndWrite(char** data);	// passes ownership
+
+	/**
+	 * Retrieves serialized data.
+	 * @param data A pointer that will be assigned to point at the internal
+	 *             buffer containing serialized data.  The memory should
+	 *             be reclaimed using "free()".
+	 * @return The number of bytes in the buffer object assigned to \a data.
+	 */
+	virtual uint32 EndWrite(char** data);
 
 	virtual bool Write(int v, const char* tag) = 0;
 	virtual bool Write(uint16 v, const char* tag) = 0;
@@ -74,6 +82,7 @@ protected:
 	bool WriteData(const void* buf, size_t count);
 
 	static const uint32 INITIAL_SIZE = 65536;
+	static const float GROWTH_FACTOR;
 	char* output;
 	uint32 output_size;
 	uint32 output_pos;
diff --git a/src/Serializer.cc b/src/Serializer.cc
index 156ad67f2e..36b1c74000 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -81,6 +81,7 @@ bool Serializer::EndSerialization(SerialInfo* info)
 
 	ChunkedIO::Chunk* chunk = new ChunkedIO::Chunk;
 	chunk->len = format->EndWrite(&chunk->data);
+	chunk->free_func = ChunkedIO::Chunk::free_func_free;
 
 	if ( ! io->Write(chunk) )
 		{
@@ -282,7 +283,6 @@ int Serializer::Unserialize(UnserialInfo* info, bool block)
 
 	if ( ! info->chunk )
 		{ // only delete if we allocated it ourselves
-		delete [] chunk->data;
 		delete chunk;
 		}
 
diff --git a/src/Type.cc b/src/Type.cc
index 02a486056d..672153d957 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -131,7 +131,7 @@ BroType* BroType::Clone() const
 	sinfo.cache = false;
 
 	this->Serialize(&sinfo);
-	char* data = 0;
+	char* data;
 	uint32 len = form->EndWrite(&data);
 	form->StartRead(data, len);
 
@@ -141,7 +141,7 @@ BroType* BroType::Clone() const
 	BroType* rval = this->Unserialize(&uinfo, false);
 	assert(rval != this);
 
-	delete [] data;
+	free(data);
 	return rval;
 	}
 
diff --git a/src/Val.cc b/src/Val.cc
index 4aec6a7c31..9b5b0b9d58 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -92,8 +92,7 @@ Val* Val::Clone() const
 	uinfo.cache = false;
 	Val* clone = Unserialize(&uinfo, type);
 
-	delete [] data;
-
+	free(data);
 	return clone;
 	}
 

From 2e8d0945a4764fd5ecb5b0dd6b276c7560ad098a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 18 Mar 2014 16:29:27 -0500
Subject: [PATCH 116/220] Improve documentation of Bro clusters

Renamed the bro cluster doc to better indicate its purpose (it provides
a high-level overview rather than detailed configuration instructions).
Moved the location of the bro cluster doc in the index so that it makes
more sense (it is an introductory section, not a section about using bro).

Added links in the quick start guide and the bro cluster doc so that
readers can more easily locate more detailed information on configuring
a bro cluster.

Addresses BIT-1160
---
 doc/cluster/index.rst    | 45 ++++++++++++++++++++--------------------
 doc/index.rst            |  2 +-
 doc/quickstart/index.rst |  9 ++++++--
 3 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/doc/cluster/index.rst b/doc/cluster/index.rst
index 2e6cb2e782..3edf295dfb 100644
--- a/doc/cluster/index.rst
+++ b/doc/cluster/index.rst
@@ -1,18 +1,19 @@
 
 ========================
-Setting up a Bro Cluster
+Bro Cluster Architecture
 ========================
 
-Intro
-------
 
 Bro is not multithreaded, so once the limitations of a single processor core
 are reached the only option currently is to spread the workload across many
 cores, or even many physical computers. The cluster deployment scenario for
-Bro is the current solution to build these larger systems. The accompanying
-tools and scripts provide the structure to easily manage many Bro processes
-examining packets and doing correlation activities but acting as a singular,
-cohesive entity.
+Bro is the current solution to build these larger systems. The tools and
+scripts that accompany Bro provide the structure to easily manage many Bro
+processes examining packets and doing correlation activities but acting as
+a singular, cohesive entity.  This document describes the Bro cluster
+architecture.  For information on how to configure a Bro cluster,
+see the documentation for
+`BroControl <http://bro.org/sphinx/components/broctl/README.html>`_.
 
 Architecture
 ---------------
@@ -41,11 +42,11 @@ messages and notices from the rest of the nodes in the cluster using the Bro
 communications protocol.  The result is a single log instead of many
 discrete logs that you have to combine in some manner with post-processing.
 The manager also takes the opportunity to de-duplicate notices, and it has the
-ability to do so since it’s acting as the choke point for notices and how notices
-might be processed into actions (e.g., emailing, paging, or blocking).
+ability to do so since it's acting as the choke point for notices and how
+notices might be processed into actions (e.g., emailing, paging, or blocking).
 
 The manager process is started first by BroControl and it only opens its
-designated port and waits for connections, it doesn’t initiate any
+designated port and waits for connections, it doesn't initiate any
 connections to the rest of the cluster.  Once the workers are started and
 connect to the manager, logs and notices will start arriving to the manager
 process from the workers.
@@ -58,12 +59,11 @@ the workers by alleviating the need for all of the workers to connect
 directly to each other.
 
 Examples of synchronized state from the scripts that ship with Bro include
-the full list of “known” hosts and services (which are hosts or services
+the full list of "known" hosts and services (which are hosts or services
 identified as performing full TCP handshakes) or an analyzed protocol has been
 found on the connection.  If worker A detects host 1.2.3.4 as an active host,
 it would be beneficial for worker B to know that as well.  So worker A shares
-that information as an insertion to a set
-<link to set documentation would be good here> which travels to the cluster’s
+that information as an insertion to a set which travels to the cluster's
 proxy and the proxy sends that same set insertion to worker B. The result
 is that worker A and worker B have shared knowledge about host and services
 that are active on the network being monitored.
@@ -79,7 +79,7 @@ necessary for the number of workers they are serving.  It is best to start
 with a single proxy and add more if communication performance problems are
 found.
 
-Bro processes acting as proxies don’t tend to be extremely hard on CPU
+Bro processes acting as proxies don't tend to be extremely hard on CPU
 or memory and users frequently run proxy processes on the same physical
 host as the manager.
 
@@ -106,7 +106,7 @@ dedicated to being workers with each one containing dual 6-core processors.
 
 Once a flow-based load balancer is put into place this model is extremely
 easy to scale. It is recommended that you estimate the amount of
-hardware you will need to fully analyze your traffic.  If more is needed it’s
+hardware you will need to fully analyze your traffic.  If more is needed it's
 relatively easy to increase the size of the cluster in most cases.
 
 Frontend Options
@@ -147,14 +147,13 @@ On host flow balancing
 PF_RING
 ^^^^^^^
 
-The PF_RING software for Linux has a “clustering” feature which will do
+The PF_RING software for Linux has a "clustering" feature which will do
 flow-based load balancing across a number of processes that are sniffing the
 same interface.  This allows you to easily take advantage of multiple
-cores in a single physical host because Bro’s main event loop is single
-threaded and can’t natively utilize all of the cores.  More information about
-Bro with PF_RING can be found here: (someone want to write a quick Bro/PF_RING
-tutorial to link to here?  document installing kernel module, libpcap
-wrapper, building Bro with the --with-pcap configure option)
+cores in a single physical host because Bro's main event loop is single
+threaded and can't natively utilize all of the cores.  If you want to use
+PF_RING, see the documentation on `how to configure Bro with PF_RING
+<http://bro.org/documentation/load-balancing.html>`_.
 
 Netmap
 ^^^^^^
@@ -167,7 +166,7 @@ Click! Software Router
 ^^^^^^^^^^^^^^^^^^^^^^
 
 Click! can be used for flow based load balancing with a simple configuration.
-(link to an example for the config).  This solution is not recommended on
-Linux due to Bro’s PF_RING support and only as a last resort on other
+This solution is not recommended on
+Linux due to Bro's PF_RING support and only as a last resort on other
 operating systems since it causes a lot of overhead due to context switching
 back and forth between kernel and userland several times per packet.
diff --git a/doc/index.rst b/doc/index.rst
index a66353c9ea..bab3d49204 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -12,6 +12,7 @@ Introduction Section
    :maxdepth: 2
 
    intro/index.rst
+   cluster/index.rst
    install/index.rst
    quickstart/index.rst
 
@@ -29,7 +30,6 @@ Using Bro Section
    httpmonitor/index.rst
    broids/index.rst
    mimestats/index.rst
-   cluster/index.rst
 
 ..
 
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index e322d05f71..dc67e9839c 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -12,7 +12,9 @@ Quick Start Guide
 Bro works on most modern, Unix-based systems and requires no custom
 hardware.  It can be downloaded in either pre-built binary package or
 source code forms.  See :ref:`installing-bro` for instructions on how to
-install Bro. Below, ``$PREFIX`` is used to reference the Bro
+install Bro. 
+
+In the examples below, ``$PREFIX`` is used to reference the Bro
 installation root directory, which by default is ``/usr/local/bro/`` if
 you install from source. 
 
@@ -21,7 +23,10 @@ Managing Bro with BroControl
 
 BroControl is an interactive shell for easily operating/managing Bro
 installations on a single system or even across multiple systems in a
-traffic-monitoring cluster.
+traffic-monitoring cluster.  This section explains how to use BroControl
+to manage a stand-alone Bro installation.  For instructions on how to
+configure a Bro cluster, see the documentation for `BroControl
+<http://bro.org/sphinx/components/broctl/README.html>`_.
 
 A Minimal Starting Configuration
 --------------------------------

From 80fe5874a506c973aaa668597def76b15b779bcf Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 19 Mar 2014 16:56:29 -0500
Subject: [PATCH 117/220] More improvements to install/setup documentation

Addresses BIT-1160
---
 doc/cluster/index.rst      |  2 +-
 doc/install/guidelines.rst | 17 +++++++++++------
 doc/install/install.rst    |  2 +-
 doc/quickstart/index.rst   |  6 +++---
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/doc/cluster/index.rst b/doc/cluster/index.rst
index 3edf295dfb..544ca5e0f8 100644
--- a/doc/cluster/index.rst
+++ b/doc/cluster/index.rst
@@ -13,7 +13,7 @@ processes examining packets and doing correlation activities but acting as
 a singular, cohesive entity.  This document describes the Bro cluster
 architecture.  For information on how to configure a Bro cluster,
 see the documentation for
-`BroControl <http://bro.org/sphinx/components/broctl/README.html>`_.
+:doc:`BroControl <../components/broctl/README>`.
 
 Architecture
 ---------------
diff --git a/doc/install/guidelines.rst b/doc/install/guidelines.rst
index a5526a706e..af33b8fee1 100644
--- a/doc/install/guidelines.rst
+++ b/doc/install/guidelines.rst
@@ -1,16 +1,21 @@
 
 .. _upgrade-guidelines:
 
-==================
-General Guidelines
-==================
+==============
+How to Upgrade
+==============
 
 If you're doing an upgrade install (rather than a fresh install),
 there's two suggested approaches: either install Bro using the same
 installation prefix directory as before, or pick a new prefix and copy
-local customizations over. In the following we summarize general
-guidelines for upgrading, see the :ref:`release-notes` for
-version-specific information.
+local customizations over.  Regardless of which approach you choose,
+if you are using BroControl, then after upgrading Bro you will need to
+run "broctl check" (to verify that your new configuration is OK)
+and "broctl install" to complete the upgrade process.
+
+In the following we summarize general guidelines for upgrading, see
+the :ref:`release-notes` for version-specific information.
+
 
 Reusing Previous Install Prefix
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 7400d640fe..7a55f519a3 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -80,7 +80,7 @@ that ``bash`` and ``python`` are in your ``PATH``):
   Distributions of these dependencies can likely be obtained from your
   preferred Mac OS X package management system (e.g. MacPorts_, Fink_,
   or Homebrew_).  Specifically for MacPorts, the ``cmake``, ``swig``,
-  ``swig-python`` and packages provide the required dependencies.
+  and ``swig-python`` packages provide the required dependencies.
 
 
 Optional Dependencies
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index dc67e9839c..a61d0cc71d 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -15,7 +15,7 @@ source code forms.  See :ref:`installing-bro` for instructions on how to
 install Bro. 
 
 In the examples below, ``$PREFIX`` is used to reference the Bro
-installation root directory, which by default is ``/usr/local/bro/`` if
+installation root directory, which by default is ``/usr/local/bro`` if
 you install from source. 
 
 Managing Bro with BroControl
@@ -25,8 +25,8 @@ BroControl is an interactive shell for easily operating/managing Bro
 installations on a single system or even across multiple systems in a
 traffic-monitoring cluster.  This section explains how to use BroControl
 to manage a stand-alone Bro installation.  For instructions on how to
-configure a Bro cluster, see the documentation for `BroControl
-<http://bro.org/sphinx/components/broctl/README.html>`_.
+configure a Bro cluster, see the documentation for :doc:`BroControl
+<../components/broctl/README>`.
 
 A Minimal Starting Configuration
 --------------------------------

From b32c7c7a882a6f0ee3a75b20f376b2ddea409ab4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 19 Mar 2014 21:32:01 -0700
Subject: [PATCH 118/220] Add policy script to suppress non host-certificate
 logging in x509.log

Addresses BIT-1150
---
 .../protocols/ssl/log-hostcerts-only.bro      | 65 +++++++++++++++++++
 scripts/site/local.bro                        |  3 +
 scripts/test-all-policy.bro                   |  1 +
 .../x509.log                                  | 11 ++++
 .../protocols/ssl/log-hostcerts-only.bro      |  4 ++
 5 files changed, 84 insertions(+)
 create mode 100644 scripts/policy/protocols/ssl/log-hostcerts-only.bro
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro

diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
new file mode 100644
index 0000000000..75b1ae0423
--- /dev/null
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -0,0 +1,65 @@
+##! When this script is loaded, only the host certificates (client and server)
+##! will be logged to x509.log. Logging of all other certificates will be suppressed.
+
+module X509;
+
+export {
+	redef record Info += {
+	# Logging is suppressed if field is set to F
+		logcert: bool &default=T;
+	};
+}
+
+# We need both the Info and the fa_file record modified.
+# The only instant when we have both, the connection and the
+# file available without having to loop is in the file_over_new_connection
+# event.
+# When that event is raised, the x509 record in f$info (which is the only
+# record the logging framework gets) is not yet available. So - we
+# have to do this two times, sorry.
+# Alternatively, we could place it info Files::Info first - but we would
+# still have to copy it.
+redef record fa_file += {
+	logcert: bool &default=T;
+};
+
+function host_certs_only(rec: X509::Info): bool
+	{
+	return rec$logcert;
+	}
+
+event bro_init() &priority=2
+	{
+	local f = Log::get_filter(X509::LOG, "default");
+	Log::remove_filter(X509::LOG, "default"); # disable default logging
+	f$pred=host_certs_only; # and add our predicate
+	Log::add_filter(X509::LOG, f);
+	}
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+	{
+	if ( ! c?$ssl )
+		return;
+
+	local chain: vector of string;
+
+	if ( is_orig )
+		chain = c$ssl$client_cert_chain_fuids;
+	else
+		chain = c$ssl$cert_chain_fuids;
+
+	if ( |chain| == 0 )
+		{
+		Reporter::warning(fmt("Certificate not in chain? (fuid %s)", f$id));
+		return;
+		}
+
+	# Check if this is the host certificate
+	if ( f$id != chain[0] )
+		f$logcert=F;
+}
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=2
+	{
+	f$info$x509$logcert = f$logcert; # info record available, copy information.
+	}
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index ddaee42a93..e1a3574424 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -55,6 +55,9 @@
 # This script enables SSL/TLS certificate validation.
 @load protocols/ssl/validate-certs
 
+# This script prevents the logging of SSL CA certificates in x509.log
+@load protocols/ssl/log-hostcerts-only
+
 # Uncomment the following line to check each SSL certificate hash against the ICSI
 # certificate notary service; see http://notary.icsi.berkeley.edu .
 # @load protocols/ssl/notary
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index ee540c86bb..895a9a8901 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -86,6 +86,7 @@
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
 @load protocols/ssl/known-certs.bro
+@load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
 @load tuning/__load__.bro
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
new file mode 100644
index 0000000000..13f8280fa9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-03-20-04-29-44
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1394747126.862409	FlaIzV19yTmBYwWwc6	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747129.512954	FOye6a4kt8a7QChqw3	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+#close	2014-03-20-04-29-44
diff --git a/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro
new file mode 100644
index 0000000000..37f9f7592b
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tls/google-duplicate.trace %INPUT
+# @TEST-EXEC: btest-diff x509.log
+
+@load protocols/ssl/log-hostcerts-only

From a185631e1e1baec69d7e783b09576d36f3fe5fbd Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 19 Mar 2014 21:46:19 -0700
Subject: [PATCH 119/220] Fix x509 certificate Version (the +1 was missing...).

This was wrong all along in the ssl protocol parser and no one ever
noticed :)

(And I missed it in the new logfiles until now *cough*)
---
 .../x509.log                                  | 28 +++++++++----------
 .../scripts.base.protocols.ssl.basic/x509.log |  8 +++---
 .../x509.log                                  | 10 +++----
 .../x509.log                                  | 16 +++++------
 .../x509.log                                  |  8 +++---
 5 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
index 827bfd97de..02d7edf3a5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
@@ -3,19 +3,19 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2014-03-13-20-45-24
+#open	2014-03-20-04-42-11
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
-1348168976.510615	FBtbj87tgpyeDSj31	2	01	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
-1348168976.510615	F8TfgZ31c1dFu8Kt2k	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-1348168976.514202	FVNYOh2BeQBb7MpCPe	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
-1348168976.514202	FwjBou1e5DbpE0eOgk	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
-1348168976.514202	FbYQmk4x4M4Bx3PZme	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-1348168976.551554	F4SSqN31HDIrrH5Q8h	2	3792E385	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
-1348168976.551554	FJHp5Pf6VLQsRQK3	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
-1348168976.551554	FHACqa3dX9BXRV2av	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
-1348168976.551554	FNnDVT1NURRWeoLLN3	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-1348168976.554445	FFWYVj4BcvQb35WIaf	2	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
-1348168976.554445	Fj16G835fnJgnVlKU6	2	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
-1348168976.554445	FGONoc1Nj0Ka5zlxDa	2	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-#close	2014-03-13-20-45-24
+1348168976.510615	FBtbj87tgpyeDSj31	3	01	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.510615	F8TfgZ31c1dFu8Kt2k	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.514202	FVNYOh2BeQBb7MpCPe	3	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.514202	FwjBou1e5DbpE0eOgk	3	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.514202	FbYQmk4x4M4Bx3PZme	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.551554	F4SSqN31HDIrrH5Q8h	3	3792E385	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348168676.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.551554	FJHp5Pf6VLQsRQK3	3	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.551554	FHACqa3dX9BXRV2av	3	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.551554	FNnDVT1NURRWeoLLN3	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+1348168976.554445	FFWYVj4BcvQb35WIaf	3	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
+1348168976.554445	Fj16G835fnJgnVlKU6	3	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
+1348168976.554445	FGONoc1Nj0Ka5zlxDa	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
+#close	2014-03-20-04-42-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
index 350673c2c8..4a187b3d11 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/x509.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2014-03-13-20-45-46
+#open	2014-03-20-04-42-26
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
-1335538392.343624	F6wfNWn8LR755SYo7	2	36F5DA5300000000505E	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	*.gstatic.com,gstatic.com,*.metric.gstatic.com	-	-	-	-	-
-1335538392.343624	FJl60T1mOolaez9T0h	2	0B6771	CN=Google Internet Authority,O=Google Inc,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1244493807.000000	1370634207.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	0
-#close	2014-03-13-20-45-46
+1335538392.343624	F6wfNWn8LR755SYo7	3	36F5DA5300000000505E	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	1334102677.000000	1365639277.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	*.gstatic.com,gstatic.com,*.metric.gstatic.com	-	-	-	-	-
+1335538392.343624	FJl60T1mOolaez9T0h	3	0B6771	CN=Google Internet Authority,O=Google Inc,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1244493807.000000	1370634207.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	0
+#close	2014-03-20-04-42-26
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
index 5aeca0e664..3bc9870ec6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/x509.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2014-03-13-20-46-09
+#open	2014-03-20-04-42-42
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
-1357328848.591964	FlnQzb2dJK4p9jXwmd	2	99FAA8037A4EB2FAEF84EB5E55D5B8C8	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.taleo.net,taleo.net	-	-	-	F	-
-1357328848.591964	FaDzX22O4j3kFF6Jqg	2	1690C329B6780607511F05B0344846CB	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	1271376000.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
-1357328848.591964	F9Tsjm3OdCmGGw43Yh	2	01	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	959683718.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
-#close	2014-03-13-20-46-09
+1357328848.591964	FlnQzb2dJK4p9jXwmd	3	99FAA8037A4EB2FAEF84EB5E55D5B8C8	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	1304467200.000000	1467676799.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.taleo.net,taleo.net	-	-	-	F	-
+1357328848.591964	FaDzX22O4j3kFF6Jqg	3	1690C329B6780607511F05B0344846CB	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	1271376000.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1357328848.591964	F9Tsjm3OdCmGGw43Yh	3	01	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE	959683718.000000	1590835718.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-03-20-04-42-42
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
index df68558d9b..8be6aab171 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/x509.log
@@ -3,13 +3,13 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2014-03-13-21-47-24
+#open	2014-03-20-04-42-54
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
-1394747126.862409	FlaIzV19yTmBYwWwc6	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
-1394747126.862409	F0BeiV3cMsGkNML0P2	2	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
-1394747126.862409	F6PfYi2WUoPdIJrhpg	2	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
-1394747129.512954	FOye6a4kt8a7QChqw3	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
-1394747129.512954	FytlLr3jOQenFAVtYi	2	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
-1394747129.512954	FEmnxy4DGbxkmtQJS1	2	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
-#close	2014-03-13-21-47-24
+1394747126.862409	FlaIzV19yTmBYwWwc6	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747126.862409	F0BeiV3cMsGkNML0P2	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1394747126.862409	F6PfYi2WUoPdIJrhpg	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+1394747129.512954	FOye6a4kt8a7QChqw3	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747129.512954	FytlLr3jOQenFAVtYi	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1394747129.512954	FEmnxy4DGbxkmtQJS1	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-03-20-04-42-54
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
index 13f8280fa9..2a2fb3ba83 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.log-hostcerts-only/x509.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2014-03-20-04-29-44
+#open	2014-03-20-04-43-07
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
-1394747126.862409	FlaIzV19yTmBYwWwc6	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
-1394747129.512954	FOye6a4kt8a7QChqw3	2	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
-#close	2014-03-20-04-29-44
+1394747126.862409	FlaIzV19yTmBYwWwc6	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1394747129.512954	FOye6a4kt8a7QChqw3	3	4A2C8628C1010633	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1393341558.000000	1401062400.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+#close	2014-03-20-04-43-07

From ae165fb2627ea568f2e903435b8c438cf27f56e1 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 19 Mar 2014 21:50:02 -0700
Subject: [PATCH 120/220] x509 version always has to be incremented. Baselines
 already committed.

---
 src/file_analysis/analyzer/x509/X509.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 9b4a90dcf9..3bdfb034ac 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -94,7 +94,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	RecordVal* pX509Cert = new RecordVal(BifType::Record::X509::Certificate);
 	BIO *bio = BIO_new(BIO_s_mem());
 
-	pX509Cert->Assign(0, new Val((uint64) X509_get_version(ssl_cert), TYPE_COUNT));
+	pX509Cert->Assign(0, new Val((uint64) X509_get_version(ssl_cert) + 1, TYPE_COUNT));
 	i2a_ASN1_INTEGER(bio, X509_get_serialNumber(ssl_cert));
 	int len = BIO_read(bio, &(*buf), sizeof(buf));
 	pX509Cert->Assign(1, new StringVal(len, buf));

From b1fd1612740d554bf6681888e6920e982ceb5200 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 20 Mar 2014 13:54:26 -0500
Subject: [PATCH 121/220] Improve type checking of records, addresses BIT-1159.

---
 scripts/base/frameworks/files/main.bro        |  8 +--
 src/Expr.cc                                   | 66 +++++++++----------
 src/Expr.h                                    |  5 +-
 src/Var.cc                                    |  6 ++
 src/parse.y                                   |  3 +-
 .../Baseline/language.record-bad-ctor/out     |  2 +-
 .../language.record-type-checking/out         | 11 ++++
 testing/btest/language/named-record-ctors.bro |  4 +-
 testing/btest/language/record-extension.bro   |  2 +-
 .../btest/language/record-type-checking.bro   | 47 +++++++++++++
 testing/btest/language/sizeof.bro             |  2 +-
 .../btest/scripts/base/utils/conn-ids.test    |  4 +-
 .../base/utils/directions-and-hosts.test      | 16 ++---
 13 files changed, 118 insertions(+), 58 deletions(-)
 create mode 100644 testing/btest/Baseline/language.record-type-checking/out
 create mode 100644 testing/btest/language/record-type-checking.bro

diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index cf2c11be45..d481e0b28f 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -41,15 +41,15 @@ export {
 		## If this file was transferred over a network
 		## connection this should show the host or hosts that
 		## the data sourced from.
-		tx_hosts: set[addr] &log;
+		tx_hosts: set[addr] &default=addr_set() &log;
 
 		## If this file was transferred over a network
 		## connection this should show the host or hosts that
 		## the data traveled to.
-		rx_hosts: set[addr] &log;
+		rx_hosts: set[addr] &default=addr_set() &log;
 
 		## Connection UIDs over which the file was transferred.
-		conn_uids: set[string] &log;
+		conn_uids: set[string] &default=string_set() &log;
 
 		## An identification of the source of the file data.  E.g. it
 		## may be a network protocol over which it was transferred, or a
@@ -63,7 +63,7 @@ export {
 		depth: count &default=0 &log;
 
 		## A set of analysis types done during the file analysis.
-		analyzers: set[string] &log;
+		analyzers: set[string] &default=string_set() &log;
 
 		## A mime type provided by libmagic against the *bof_buffer*
 		## field of :bro:see:`fa_file`, or in the cases where no
diff --git a/src/Expr.cc b/src/Expr.cc
index a5315b533d..b3a4b8b096 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3392,22 +3392,12 @@ bool HasFieldExpr::DoUnserialize(UnserialInfo* info)
 	return UNSERIALIZE(&not_used) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
 	}
 
-RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list,
-					     BroType* arg_type)
+RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 : UnaryExpr(EXPR_RECORD_CONSTRUCTOR, constructor_list)
 	{
-	ctor_type = 0;
-
 	if ( IsError() )
 		return;
 
-	if ( arg_type && arg_type->Tag() != TYPE_RECORD )
-		{
-		Error("bad record constructor type", arg_type);
-		SetError();
-		return;
-		}
-
 	// Spin through the list, which should be comprised of
 	// either record's or record-field-assign, and build up a
 	// record type to associate with this constructor.
@@ -3447,17 +3437,11 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list,
 			}
 		}
 
-	ctor_type = new RecordType(record_types);
-
-	if ( arg_type )
-		SetType(arg_type->Ref());
-	else
-		SetType(ctor_type->Ref());
+	SetType(new RecordType(record_types));
 	}
 
 RecordConstructorExpr::~RecordConstructorExpr()
 	{
-	Unref(ctor_type);
 	}
 
 Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
@@ -3483,7 +3467,7 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 Val* RecordConstructorExpr::Fold(Val* v) const
 	{
 	ListVal* lv = v->AsListVal();
-	RecordType* rt = ctor_type->AsRecordType();
+	RecordType* rt = type->AsRecordType();
 
 	if ( lv->Length() != rt->NumFields() )
 		Internal("inconsistency evaluating record constructor");
@@ -3493,19 +3477,6 @@ Val* RecordConstructorExpr::Fold(Val* v) const
 	for ( int i = 0; i < lv->Length(); ++i )
 		rv->Assign(i, lv->Index(i)->Ref());
 
-	if ( ! same_type(rt, type) )
-		{
-		RecordVal* new_val = rv->CoerceTo(type->AsRecordType());
-
-		if ( new_val )
-			{
-			Unref(rv);
-			rv = new_val;
-			}
-		else
-			Internal("record constructor coercion failed");
-		}
-
 	return rv;
 	}
 
@@ -3521,16 +3492,12 @@ IMPLEMENT_SERIAL(RecordConstructorExpr, SER_RECORD_CONSTRUCTOR_EXPR);
 bool RecordConstructorExpr::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_RECORD_CONSTRUCTOR_EXPR, UnaryExpr);
-	SERIALIZE_OPTIONAL(ctor_type);
 	return true;
 	}
 
 bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(UnaryExpr);
-	BroType* t = 0;
-	UNSERIALIZE_OPTIONAL(t, RecordType::Unserialize(info));
-	ctor_type = t->AsRecordType();
 	return true;
 	}
 
@@ -4214,6 +4181,26 @@ RecordCoerceExpr::~RecordCoerceExpr()
 	delete [] map;
 	}
 
+Val* RecordCoerceExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	Val* v = Eval(0);
+
+	if ( v )
+		{
+		RecordVal* rv = v->AsRecordVal();
+		RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
+
+		if ( ar )
+			{
+			Unref(rv);
+			return ar;
+			}
+		}
+
+	Error("bad record initializer");
+	return 0;
+	}
+
 Val* RecordCoerceExpr::Fold(Val* v) const
 	{
 	RecordVal* val = new RecordVal(Type()->AsRecordType());
@@ -4238,6 +4225,13 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 
 			assert(rhs || Type()->AsRecordType()->FieldDecl(i)->FindAttr(ATTR_OPTIONAL));
 
+			if ( ! rhs )
+				{
+				// Optional field is missing.
+				val->Assign(i, 0);
+				continue;
+				}
+
 			BroType* rhs_type = rhs->Type();
 			RecordType* val_type = val->Type()->AsRecordType();
 			BroType* field_type = val_type->FieldType(i);
diff --git a/src/Expr.h b/src/Expr.h
index 26f20fcbe9..fafa79025b 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -753,7 +753,7 @@ protected:
 
 class RecordConstructorExpr : public UnaryExpr {
 public:
-	RecordConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0);
+	RecordConstructorExpr(ListExpr* constructor_list);
 	~RecordConstructorExpr();
 
 protected:
@@ -766,8 +766,6 @@ protected:
 	void ExprDescribe(ODesc* d) const;
 
 	DECLARE_SERIAL(RecordConstructorExpr);
-
-	RecordType* ctor_type; // type inferred from the ctor expression list args
 };
 
 class TableConstructorExpr : public UnaryExpr {
@@ -878,6 +876,7 @@ protected:
 	friend class Expr;
 	RecordCoerceExpr()	{ map = 0; }
 
+	Val* InitVal(const BroType* t, Val* aggr) const;
 	Val* Fold(Val* v) const;
 
 	DECLARE_SERIAL(RecordCoerceExpr);
diff --git a/src/Var.cc b/src/Var.cc
index 1d4f1f4620..52754e3265 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -169,8 +169,14 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 			{
 			Val* aggr;
 			if ( t->Tag() == TYPE_RECORD )
+				{
 				aggr = new RecordVal(t->AsRecordType());
 
+				if ( init && t )
+					// Have an initialization and type is not deduced.
+					init = new RecordCoerceExpr(init, t->AsRecordType());
+				}
+
 			else if ( t->Tag() == TYPE_TABLE )
 				aggr = new TableVal(t->AsTableType(), id->Attrs());
 
diff --git a/src/parse.y b/src/parse.y
index 5835c57143..04e41ac158 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -559,7 +559,8 @@ expr:
 				{
 				switch ( ctor_type->Tag() ) {
 				case TYPE_RECORD:
-					$$ = new RecordConstructorExpr($4, ctor_type);
+					$$ = new RecordCoerceExpr(new RecordConstructorExpr($4),
+					                          ctor_type->AsRecordType());
 					break;
 
 				case TYPE_TABLE:
diff --git a/testing/btest/Baseline/language.record-bad-ctor/out b/testing/btest/Baseline/language.record-bad-ctor/out
index 2b890419ae..97f853b5a8 100644
--- a/testing/btest/Baseline/language.record-bad-ctor/out
+++ b/testing/btest/Baseline/language.record-bad-ctor/out
@@ -1,3 +1,3 @@
 error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf)
 error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf)
-error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ((coerce [$ports=asdfasdf] to record { ports:error; }))
diff --git a/testing/btest/Baseline/language.record-type-checking/out b/testing/btest/Baseline/language.record-type-checking/out
new file mode 100644
index 0000000000..ecd5d7b8bb
--- /dev/null
+++ b/testing/btest/Baseline/language.record-type-checking/out
@@ -0,0 +1,11 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9 and count: type clash for field "a" ((coerce [$a=0] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 9: bad record initializer ((coerce [$a=0] to error))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12 and count: type clash for field "a" ((coerce [$a=1] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 12: bad record initializer ((coerce (coerce [$a=1] to error) to error))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 18 and count: type clash for field "a" ((coerce [$a=2] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22 and count: type clash for field "a" ((coerce [$a=3] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 22: bad record initializer ((coerce [$a=3] to error))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 27 and count: type clash for field "a" ((coerce [$a=1000] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 33 and count: type clash for field "a" ((coerce [$a=1001] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 40 and count: type clash for field "a" ((coerce [$a=1002] to MyRec) and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-type-checking/record-type-checking.bro, line 46 and count: type clash for field "a" ((coerce [$a=1003] to MyRec) and count)
diff --git a/testing/btest/language/named-record-ctors.bro b/testing/btest/language/named-record-ctors.bro
index d0a6fc70e5..40a79d86b3 100644
--- a/testing/btest/language/named-record-ctors.bro
+++ b/testing/btest/language/named-record-ctors.bro
@@ -1,6 +1,8 @@
-# @TEST-EXEC: bro -b frameworks/software/vulnerable %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
+@load frameworks/software/vulnerable
+
 type MyRec: record {
 	min: count &optional;
 	max: count;
diff --git a/testing/btest/language/record-extension.bro b/testing/btest/language/record-extension.bro
index 78ef929a86..02b4c3bbe7 100644
--- a/testing/btest/language/record-extension.bro
+++ b/testing/btest/language/record-extension.bro
@@ -9,7 +9,7 @@ type Foo: record {
 
 redef record Foo += {
         c: count &default=42;
-        d: count &optional;
+        d: string &optional;
         anotherset: set[count] &default=set();
 };
 
diff --git a/testing/btest/language/record-type-checking.bro b/testing/btest/language/record-type-checking.bro
new file mode 100644
index 0000000000..d58937d577
--- /dev/null
+++ b/testing/btest/language/record-type-checking.bro
@@ -0,0 +1,47 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type MyRec: record {
+	a: port &default = 1/tcp;
+};
+
+# global, type deduction, named ctor
+global grdn = MyRec($a = 0); # type clash in init
+
+# global, type explicit, named ctor
+global gren: MyRec = MyRec($a = 1); # type clash in init
+
+# global, type deduction, anon ctor
+global grda = [$a = 2]; # fine
+event bro_init()
+	{
+	grda = MyRec($a = 2);  # type clash in assignment
+	}
+
+# global, type explicit, anon ctor
+global grea: MyRec = [$a = 3]; # type clash
+
+# local, type deduction, named ctor
+event bro_init()
+    {
+    local lrdn = MyRec($a = 1000); # type clash
+    }
+
+# local, type explicit, named ctor
+event bro_init()
+    {
+    local lren: MyRec = MyRec($a = 1001); # type clash
+    }
+
+# local, type deduction, anon ctor
+event bro_init()
+    {
+    local lrda = [$a = 1002];   # fine
+    lrda = MyRec($a = 1002);    # type clash
+    }
+
+# local, type explicit, anon ctor
+event bro_init()
+    {
+    local lrea: MyRec = [$a = 1003]; # type clash
+    }
diff --git a/testing/btest/language/sizeof.bro b/testing/btest/language/sizeof.bro
index 8b29e119bd..4f5833aa30 100644
--- a/testing/btest/language/sizeof.bro
+++ b/testing/btest/language/sizeof.bro
@@ -28,7 +28,7 @@ global f:  file = open_log_file("sizeof_demo");
 global i:  int = -10;
 global iv: interval = -5sec;
 global p:  port = 80/tcp;
-global r:  example_record [ $i = 10 ];
+global r:  example_record = [ $i = +10 ];
 global si: set[int];
 global s:  string = "Hello";
 global sn: subnet = 192.168.0.0/24;
diff --git a/testing/btest/scripts/base/utils/conn-ids.test b/testing/btest/scripts/base/utils/conn-ids.test
index a7d2ce0939..affe746e35 100644
--- a/testing/btest/scripts/base/utils/conn-ids.test
+++ b/testing/btest/scripts/base/utils/conn-ids.test
@@ -4,8 +4,8 @@
 # This is loaded by default.
 #@load base/utils/conn-ids
 
-global c: conn_id = [ $orig_h = 10.0.0.100, $orig_p = 10000,
-                      $resp_h = 10.0.0.200, $resp_p = 20000 ];
+global c: conn_id = [ $orig_h = 10.0.0.100, $orig_p = 10000/tcp,
+                      $resp_h = 10.0.0.200, $resp_p = 20000/tcp ];
 
 print id_string(c);
 print reverse_id_string(c);
diff --git a/testing/btest/scripts/base/utils/directions-and-hosts.test b/testing/btest/scripts/base/utils/directions-and-hosts.test
index 6f4f781c72..92d1b48d3a 100644
--- a/testing/btest/scripts/base/utils/directions-and-hosts.test
+++ b/testing/btest/scripts/base/utils/directions-and-hosts.test
@@ -11,20 +11,20 @@ global local_ip = 10.0.0.100;
 global remote_ip = 192.168.1.100;
 
 global local2local: conn_id = [
-    $orig_h = 10.0.0.100, $orig_p = 10000,
-    $resp_h = 10.0.0.200, $resp_p = 20000 ];
+    $orig_h = 10.0.0.100, $orig_p = 10000/tcp,
+    $resp_h = 10.0.0.200, $resp_p = 20000/tcp ];
 
 global local2remote: conn_id = [
-    $orig_h = 10.0.0.100,    $orig_p = 10000,
-    $resp_h = 192.168.1.100, $resp_p = 20000 ];
+    $orig_h = 10.0.0.100,    $orig_p = 10000/tcp,
+    $resp_h = 192.168.1.100, $resp_p = 20000/tcp ];
 
 global remote2local: conn_id = [
-    $orig_h = 192.168.1.100,    $orig_p = 10000,
-    $resp_h = 10.0.0.100,       $resp_p = 20000 ];
+    $orig_h = 192.168.1.100,    $orig_p = 10000/tcp,
+    $resp_h = 10.0.0.100,       $resp_p = 20000/tcp ];
 
 global remote2remote: conn_id = [
-    $orig_h = 192.168.1.100, $orig_p = 10000,
-    $resp_h = 192.168.1.200, $resp_p = 20000 ];
+    $orig_h = 192.168.1.100, $orig_p = 10000/tcp,
+    $resp_h = 192.168.1.200, $resp_p = 20000/tcp ];
 
 function test_host(ip: addr, h: Host, expect: bool)
 	{

From bf3c3887fd14eaa46b81b93e5c6f4d43f69b9f01 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 20 Mar 2014 16:47:20 -0500
Subject: [PATCH 122/220] Fix parsing of "local" named table constructors.

---
 src/parse.y                                   | 20 +++++++++++++++++--
 .../Baseline/language.named-table-ctors/out   |  4 ++++
 testing/btest/language/named-table-ctors.bro  | 16 ++++++++++-----
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/src/parse.y b/src/parse.y
index 04e41ac158..aa01171a24 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -207,6 +207,22 @@ static void extend_record(ID* id, type_decl_list* fields, attr_list* attrs)
 			}
 		}
 	}
+
+static bool expr_is_table_type_name(const Expr* expr)
+	{
+	if ( expr->Tag() != EXPR_NAME )
+		return false;
+
+	BroType* type = expr->Type();
+
+	if ( type->IsTable() )
+		return true;
+
+	if ( type->Tag() == TYPE_TYPE )
+		return type->AsTypeType()->Type()->IsTable();
+
+	return false;
+	}
 %}
 
 %union {
@@ -538,13 +554,13 @@ expr:
 
 	|	expr '('
 			{
-			if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() )
+			if ( expr_is_table_type_name($1) )
 				++in_init;
 			}
 
 		opt_expr_list
 			{
-			if ( $1->Tag() == EXPR_NAME && $1->Type()->IsTable() )
+			if ( expr_is_table_type_name($1) )
 				--in_init;
 			}
 
diff --git a/testing/btest/Baseline/language.named-table-ctors/out b/testing/btest/Baseline/language.named-table-ctors/out
index 23554d10f6..273afdd205 100644
--- a/testing/btest/Baseline/language.named-table-ctors/out
+++ b/testing/btest/Baseline/language.named-table-ctors/out
@@ -17,3 +17,7 @@
 [three] = 3.0
 }
 0
+{
+[42] = forty-two,
+[37] = thirty-seven
+}
diff --git a/testing/btest/language/named-table-ctors.bro b/testing/btest/language/named-table-ctors.bro
index 83500488f1..1fad56e30f 100644
--- a/testing/btest/language/named-table-ctors.bro
+++ b/testing/btest/language/named-table-ctors.bro
@@ -17,8 +17,14 @@ global mytablecomp: FooTableComp = FooTableComp(["test", 1] = "test1", ["cool",
 2] = "cool2");
 global mytabley: FooTableY = FooTableY(["one"] = 1, ["two"] = 2, ["three"] = 3) &default=0;
 
-print mytable;
-print mytablerec;
-print mytablecomp;
-print mytabley;
-print mytabley["test"];
+event bro_init()
+	{
+	print mytable;
+	print mytablerec;
+	print mytablecomp;
+	print mytabley;
+	print mytabley["test"];
+
+	local loctable = FooTable([42] = "forty-two", [37] = "thirty-seven");
+	print loctable;
+	}

From 9a8226935d630b37957c156d21be98e6979bb517 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 21 Mar 2014 09:22:03 -0500
Subject: [PATCH 123/220] Add unit tests covering vector/set/table ctors/inits.

---
 .../Baseline/language.set-type-checking/out   | 21 +++++++++
 .../Baseline/language.table-type-checking/out | 14 ++++++
 .../language.vector-type-checking/out         | 19 ++++++++
 testing/btest/language/set-type-checking.bro  | 45 ++++++++++++++++++
 .../btest/language/table-type-checking.bro    | 46 +++++++++++++++++++
 .../btest/language/vector-type-checking.bro   | 46 +++++++++++++++++++
 6 files changed, 191 insertions(+)
 create mode 100644 testing/btest/Baseline/language.set-type-checking/out
 create mode 100644 testing/btest/Baseline/language.table-type-checking/out
 create mode 100644 testing/btest/Baseline/language.vector-type-checking/out
 create mode 100644 testing/btest/language/set-type-checking.bro
 create mode 100644 testing/btest/language/table-type-checking.bro
 create mode 100644 testing/btest/language/vector-type-checking.bro

diff --git a/testing/btest/Baseline/language.set-type-checking/out b/testing/btest/Baseline/language.set-type-checking/out
new file mode 100644
index 0000000000..d93db19abd
--- /dev/null
+++ b/testing/btest/Baseline/language.set-type-checking/out
@@ -0,0 +1,21 @@
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (port and 0)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7 and port: type mismatch (0 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 7: inconsistent type in set constructor (set(0))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (port and 1)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10 and port: type mismatch (1 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 10: inconsistent type in set constructor (set(1))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: arithmetic mixed with non-arithmetic (port and 2)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16 and port: type mismatch (2 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 16: inconsistent type in set constructor (set(2))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 20: arithmetic mixed with non-arithmetic (port and 3)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 20: initialization type mismatch in set (set(3) and 3)
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: arithmetic mixed with non-arithmetic (port and 1000)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25 and port: type mismatch (1000 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 25: inconsistent type in set constructor (set(1000))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: arithmetic mixed with non-arithmetic (port and 1001)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31 and port: type mismatch (1001 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 31: inconsistent type in set constructor (set(1001))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: arithmetic mixed with non-arithmetic (port and 1002)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38 and port: type mismatch (1002 and port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 38: inconsistent type in set constructor (set(1002))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.set-type-checking/set-type-checking.bro, line 44: type clash in assignment (lea = set(1003))
diff --git a/testing/btest/Baseline/language.table-type-checking/out b/testing/btest/Baseline/language.table-type-checking/out
new file mode 100644
index 0000000000..00a4bb2491
--- /dev/null
+++ b/testing/btest/Baseline/language.table-type-checking/out
@@ -0,0 +1,14 @@
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: type clash (port and zero)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 7: inconsistent types in table constructor (table(zero = 0))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: type clash (port and one)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 10: inconsistent types in table constructor (table(one = 1))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 17: type clash in assignment (gda = gda2)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21 and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 4: index type doesn't match table (three and list of port)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 21: type clash in table assignment (three = 3)
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: type clash (port and thousand)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 26: inconsistent types in table constructor (table(thousand = 1000))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: type clash (port and thousand-one)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 32: inconsistent types in table constructor (table(thousand-one = 1001))
+error in port and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: type clash (port and thousand-two)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 39: inconsistent types in table constructor (table(thousand-two = 1002))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.table-type-checking/table-type-checking.bro, line 45: type clash in assignment (lea = table(thousand-three = 1003))
diff --git a/testing/btest/Baseline/language.vector-type-checking/out b/testing/btest/Baseline/language.vector-type-checking/out
new file mode 100644
index 0000000000..e96017082a
--- /dev/null
+++ b/testing/btest/Baseline/language.vector-type-checking/out
@@ -0,0 +1,19 @@
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: arithmetic mixed with non-arithmetic (count and zero)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7 and count: type mismatch (zero and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 7: inconsistent types in vector constructor (vector(zero))
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: arithmetic mixed with non-arithmetic (count and one)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10 and count: type mismatch (one and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 10: inconsistent types in vector constructor (vector(one))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 17: type clash in assignment (gda = gda2)
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: arithmetic mixed with non-arithmetic (count and three)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 21: initialization type mismatch at index 0 (vector(three) and three)
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: arithmetic mixed with non-arithmetic (count and thousand)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26 and count: type mismatch (thousand and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 26: inconsistent types in vector constructor (vector(thousand))
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: arithmetic mixed with non-arithmetic (count and thousand-one)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32 and count: type mismatch (thousand-one and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 32: inconsistent types in vector constructor (vector(thousand-one))
+error in count and /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: arithmetic mixed with non-arithmetic (count and thousand-two)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39 and count: type mismatch (thousand-two and count)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 39: inconsistent types in vector constructor (vector(thousand-two))
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.vector-type-checking/vector-type-checking.bro, line 45: type clash in assignment (lea = vector(thousand-three))
diff --git a/testing/btest/language/set-type-checking.bro b/testing/btest/language/set-type-checking.bro
new file mode 100644
index 0000000000..bf774fb9f9
--- /dev/null
+++ b/testing/btest/language/set-type-checking.bro
@@ -0,0 +1,45 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type MySet: set[port];
+
+# global, type deduction, named ctor
+global gdn = MySet(0); # type clash in init
+
+# global, type explicit, named ctor
+global gen: MySet = MySet(1); # type clash in init
+
+# global, type deduction, anon ctor
+global gda = set(2); # fine
+event bro_init()
+	{
+	gda = MySet(2);  # type clash in assignment
+	}
+
+# global, type explicit, anon ctor
+global gea: MySet = set(3); # type clash
+
+# local, type deduction, named ctor
+event bro_init()
+    {
+    local ldn = MySet(1000); # type clash
+    }
+
+# local, type explicit, named ctor
+event bro_init()
+    {
+    local len: MySet = MySet(1001); # type clash
+    }
+
+# local, type deduction, anon ctor
+event bro_init()
+    {
+    local lda = set(1002);   # fine
+    lda = MySet(1002);    # type clash
+    }
+
+# local, type explicit, anon ctor
+event bro_init()
+    {
+    local lea: MySet = set(1003); # type clash
+    }
diff --git a/testing/btest/language/table-type-checking.bro b/testing/btest/language/table-type-checking.bro
new file mode 100644
index 0000000000..f579a83d37
--- /dev/null
+++ b/testing/btest/language/table-type-checking.bro
@@ -0,0 +1,46 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type MyTable: table[port] of count;
+
+# global, type deduction, named ctor
+global gdn = MyTable(["zero"] = 0); # type clash in init
+
+# global, type explicit, named ctor
+global gen: MyTable = MyTable(["one"] = 1); # type clash in init
+
+# global, type deduction, anon ctor
+global gda = table(["two"] = 2); # fine
+global gda2 = MyTable([2/tcp] = 2); # fine
+event bro_init()
+	{
+	gda = gda2; # type clash
+	}
+
+# global, type explicit, anon ctor
+global gea: MyTable = table(["three"] = 3); # type clash
+
+# local, type deduction, named ctor
+event bro_init()
+    {
+    local ldn = MyTable(["thousand"] = 1000); # type clash
+    }
+
+# local, type explicit, named ctor
+event bro_init()
+    {
+    local len: MyTable = MyTable(["thousand-one"] = 1001); # type clash
+    }
+
+# local, type deduction, anon ctor
+event bro_init()
+    {
+    local lda = table(["thousand-two"] = 1002);   # fine
+    lda = MyTable(["thousand-two"] = 1002);    # type clash
+    }
+
+# local, type explicit, anon ctor
+event bro_init()
+    {
+    local lea: MyTable = table(["thousand-three"] = 1003); # type clash
+    }
diff --git a/testing/btest/language/vector-type-checking.bro b/testing/btest/language/vector-type-checking.bro
new file mode 100644
index 0000000000..b4c75118d1
--- /dev/null
+++ b/testing/btest/language/vector-type-checking.bro
@@ -0,0 +1,46 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type MyVec: vector of count;
+
+# global, type deduction, named ctor
+global gdn = MyVec("zero"); # type clash in init
+
+# global, type explicit, named ctor
+global gen: MyVec = MyVec("one"); # type clash in init
+
+# global, type deduction, anon ctor
+global gda = vector("two"); # fine
+global gda2 = MyVec(2); # fine
+event bro_init()
+	{
+	gda = gda2; # type clash
+	}
+
+# global, type explicit, anon ctor
+global gea: MyVec = vector("three"); # type clash
+
+# local, type deduction, named ctor
+event bro_init()
+    {
+    local ldn = MyVec("thousand"); # type clash
+    }
+
+# local, type explicit, named ctor
+event bro_init()
+    {
+    local len: MyVec = MyVec("thousand-one"); # type clash
+    }
+
+# local, type deduction, anon ctor
+event bro_init()
+    {
+    local lda = vector("thousand-two");   # fine
+    lda = MyVec("thousand-two");    # type clash
+    }
+
+# local, type explicit, anon ctor
+event bro_init()
+    {
+    local lea: MyVec = vector("thousand-three"); # type clash
+    }

From 8dad5026fdf7a5190414671d372e52396922c6a2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 25 Mar 2014 12:44:11 -0500
Subject: [PATCH 124/220] File type detection changes and fix https.log
 {orig,resp}_fuids fields.

- Removed "binary" and "octet-stream" mime type detections. They don't
  provide any more information than an uninitialized mime_type field
  which implicitly means no magic signature matches and so the media
  type is unknown to Bro.

- Slight change to "text/plain" signature.  It's still not the most
  accurate, which is reflected in its -20 strength value.

- The logic for adding file ids to {orig,resp}_fuids fields of
  the http.log incorrectly depended on the state of
  {orig,resp}_mime_types fields, so sometimes not all file ids
  associated w/ the session were logged.
---
 .../base/frameworks/files/magic/general.sig   |  8 +-
 .../base/frameworks/files/magic/libmagic.sig  | 76 +++++++++----------
 scripts/base/protocols/http/entities.bro      |  4 +-
 .../core.tunnels.gtp.outer_ip_frag/http.log   |  2 +-
 .../btest-doc.sphinx.mimestats#1              |  1 -
 .../bro..stdout                               |  2 -
 .../out                                       |  6 --
 .../b.out                                     |  2 -
 .../c.out                                     |  2 -
 .../out                                       |  2 -
 .../http.log                                  |  2 +-
 11 files changed, 43 insertions(+), 64 deletions(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index ce252dd218..20276f69ac 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -1,16 +1,10 @@
 # General purpose file magic signatures.
 
 signature file-plaintext {
-    file-magic /([[:print:][:space:]]+)/
+    file-magic /([[:print:][:space:]]{10})/
     file-mime "text/plain", -20
 }
 
-signature file-binary {
-    # Exclude bytes that can be ASCII or some ISO-8859 characters.
-    file-magic /(.*)([^[:print:][:space:]\xa0-\xff]+)/
-    file-mime "binary", -10
-}
-
 signature file-tar {
     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
     file-mime "application/x-tar", 150
diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig
index 3fa8d47ab5..299277fac9 100644
--- a/scripts/base/frameworks/files/magic/libmagic.sig
+++ b/scripts/base/frameworks/files/magic/libmagic.sig
@@ -51,7 +51,7 @@ signature file-magic-auto6 {
 
 # >10  string,=# This is a shell archive (len=25), ["shell archive text"], swap_endian=0
 signature file-magic-auto7 {
-	file-mime "application/octet-stream", 280
+	file-mime "application/x-shar", 280
 	file-magic /(.{10})(\x23 This is a shell archive)/
 }
 
@@ -612,7 +612,7 @@ signature file-magic-auto93 {
 # >>>>>>>56  ubequad&,>0 (0x0000000000000000), [""], swap_endian=0
 # >>>>>>>>64  ubequad&,>0 (0x0000000000000000), ["Journal file"], swap_endian=0
 signature file-magic-auto94 {
-	file-mime "application/octet-stream", 80
+	file-mime "application/vnd.fdo.journal", 80
 	file-magic /(LPKSHHRH)(.{8})([\x00\x01\x02\x03])(.{7})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})/
 }
 
@@ -3362,34 +3362,34 @@ signature file-magic-auto500 {
 }
 
 # >0  string,=\037\036 (len=2), ["packed data"], swap_endian=0
-signature file-magic-auto501 {
-	file-mime "application/octet-stream", 50
-	file-magic /(\x1f\x1e)/
-}
+#signature file-magic-auto501 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /(\x1f\x1e)/
+#}
 
 # >0  short&,=7967 (0x1f1f), ["old packed data"], swap_endian=0
-signature file-magic-auto502 {
-	file-mime "application/octet-stream", 50
-	file-magic /((\x1f\x1f)|(\x1f\x1f))/
-}
+#signature file-magic-auto502 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /((\x1f\x1f)|(\x1f\x1f))/
+#}
 
 # >0  short&,=8191 (0x1fff), ["compacted data"], swap_endian=0
-signature file-magic-auto503 {
-	file-mime "application/octet-stream", 50
-	file-magic /((\xff\x1f)|(\x1f\xff))/
-}
+#signature file-magic-auto503 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /((\xff\x1f)|(\x1f\xff))/
+#}
 
 # >0  string,=\377\037 (len=2), ["compacted data"], swap_endian=0
-signature file-magic-auto504 {
-	file-mime "application/octet-stream", 50
-	file-magic /(\xff\x1f)/
-}
+#signature file-magic-auto504 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /(\xff\x1f)/
+#}
 
 # >0  short&,=-13563 (0xcb05), ["huf output"], swap_endian=0
-signature file-magic-auto505 {
-	file-mime "application/octet-stream", 50
-	file-magic /((\x05\xcb)|(\xcb\x05))/
-}
+#signature file-magic-auto505 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /((\x05\xcb)|(\xcb\x05))/
+#}
 
 # >34  string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0
 signature file-magic-auto506 {
@@ -4134,25 +4134,25 @@ signature file-magic-auto615 {
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
 # >>5  byte&,=0x01, ["LSB"], swap_endian=0
 # >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=0
-signature file-magic-auto616 {
-	file-mime "application/octet-stream", 50
-	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x00\x00)/
-}
+#signature file-magic-auto616 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x00\x00)/
+#}
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
 # >>5  byte&,=0x02, ["MSB"], swap_endian=0
 # >>>16  leshort&,=0 (0x0000), ["no file type,"], swap_endian=1
-signature file-magic-auto617 {
-	file-mime "application/octet-stream", 50
-	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x00)/
-}
+#signature file-magic-auto617 {
+#	file-mime "application/octet-stream", 50
+#	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x00)/
+#}
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
 # >>5  byte&,=0x01, ["LSB"], swap_endian=0
 # >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=0
 signature file-magic-auto618 {
 	file-mime "application/x-object", 50
-	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x01\x00)/
+	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x01\x00)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4160,7 +4160,7 @@ signature file-magic-auto618 {
 # >>>16  leshort&,=1 (0x0001), ["relocatable,"], swap_endian=1
 signature file-magic-auto619 {
 	file-mime "application/x-object", 50
-	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x01)/
+	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x01)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4168,7 +4168,7 @@ signature file-magic-auto619 {
 # >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=0
 signature file-magic-auto620 {
 	file-mime "application/x-executable", 50
-	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x02\x00)/
+	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x02\x00)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4176,7 +4176,7 @@ signature file-magic-auto620 {
 # >>>16  leshort&,=2 (0x0002), ["executable,"], swap_endian=1
 signature file-magic-auto621 {
 	file-mime "application/x-executable", 50
-	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x02)/
+	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x02)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4184,7 +4184,7 @@ signature file-magic-auto621 {
 # >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=0
 signature file-magic-auto622 {
 	file-mime "application/x-sharedlib", 50
-	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x03\x00)/
+	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x03\x00)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4192,7 +4192,7 @@ signature file-magic-auto622 {
 # >>>16  leshort&,=3 (0x0003), ["shared object,"], swap_endian=1
 signature file-magic-auto623 {
 	file-mime "application/x-sharedlib", 50
-	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x03)/
+	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x03)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4200,7 +4200,7 @@ signature file-magic-auto623 {
 # >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=0
 signature file-magic-auto624 {
 	file-mime "application/x-coredump", 50
-	file-magic /(\x7fELF)(.{1})([\x01])(.{10})(\x04\x00)/
+	file-magic /(\x7fELF)([\x01\x02])([\x01])(.{10})(\x04\x00)/
 }
 
 # >0  string,=\177ELF (len=4), ["ELF"], swap_endian=0
@@ -4208,6 +4208,6 @@ signature file-magic-auto624 {
 # >>>16  leshort&,=4 (0x0004), ["core file"], swap_endian=1
 signature file-magic-auto625 {
 	file-mime "application/x-coredump", 50
-	file-magic /(\x7fELF)(.{1})([\x02])(.{10})(\x00\x04)/
+	file-magic /(\x7fELF)([\x01\x02])([\x02])(.{10})(\x00\x04)/
 }
 
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index 0239e0fa85..ff5c915801 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -72,7 +72,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 
 		if ( f$is_orig )
 			{
-			if ( ! c$http?$orig_mime_types )
+			if ( ! c$http?$orig_fuids )
 				c$http$orig_fuids = string_vec(f$id);
 			else
 				c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
@@ -87,7 +87,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 			}
 		else
 			{
-			if ( ! c$http?$resp_mime_types )
+			if ( ! c$http?$resp_fuids )
 				c$http$resp_fuids = string_vec(f$id);
 			else
 				c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
index e312a8e6ba..0048ce0a40 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@@ -6,5 +6,5 @@
 #open	2013-08-26-19-02-18
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	binary
+1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-
 #close	2013-08-26-19-02-18
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index 45ba977b4d..3cd6a49e11 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -22,7 +22,6 @@
       1389719059.311698	300.000000	text/html	1	4	53070
       1389719059.311698	300.000000	image/jpeg	1	1	186859
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	binary	1	1	3180
       1389719059.311698	300.000000	text/plain	1	12	113982
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
index 1cce5e77f0..1e68c761de 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.set_timeout_interval/bro..stdout
@@ -10,8 +10,6 @@ total bytes: 1022920
 source: HTTP
 FILE_NEW
 file #1, 0, 0
-MIME_TYPE
-binary
 FILE_OVER_NEW_CONNECTION
 FILE_TIMEOUT
 FILE_TIMEOUT
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
index da42f4fd68..b22c8fe886 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out
@@ -2,8 +2,6 @@ FILE_NEW
 file #0, 0, 0
 FILE_BOF_BUFFER
 test^M^J
-MIME_TYPE
-text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #0, 6, 0
@@ -16,8 +14,6 @@ FILE_NEW
 file #1, 0, 0
 FILE_BOF_BUFFER
 test2^M^J
-MIME_TYPE
-text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #1, 7, 0
@@ -30,8 +26,6 @@ FILE_NEW
 file #2, 0, 0
 FILE_BOF_BUFFER
 test3^M^J
-MIME_TYPE
-text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #2, 7, 0
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
index 306fa3493c..f5698aba23 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
@@ -10,8 +10,6 @@ total bytes: 1022920
 source: HTTP
 FILE_NEW
 file #1, 0, 0
-MIME_TYPE
-binary
 FILE_OVER_NEW_CONNECTION
 FILE_TIMEOUT
 FILE_STATE_REMOVE
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
index e182c6d30b..5b213f429a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
@@ -1,7 +1,5 @@
 FILE_NEW
 file #0, 0, 0
-MIME_TYPE
-text/plain
 FILE_OVER_NEW_CONNECTION
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
index 2fde3f5073..082fb7e038 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out
@@ -9,8 +9,6 @@ FILE_NEW
 file #1, 0, 0
 FILE_BOF_BUFFER
 \0\0^Ex\0\0^J\xf0\0\0^P
-MIME_TYPE
-binary
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #1, 124, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
index a32d83d79c..d4eb473905 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
@@ -6,5 +6,5 @@
 #open	2013-08-26-18-40-16
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	text/plain,text/plain,text/plain	FjeopJ2lRk9U1CNNb5	text/plain
+1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	FjeopJ2lRk9U1CNNb5	text/plain
 #close	2013-08-26-18-40-16

From 11d3685f88467bf8d3d5566ed3ea1113555ccd4d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 25 Mar 2014 13:55:20 -0500
Subject: [PATCH 125/220] Update instructions on how to build Bro docs

Also added a note in the main docs about building the Bro docs.
---
 doc/README              | 5 +++--
 doc/install/install.rst | 5 +++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/doc/README b/doc/README
index 5104f79801..0798ba90ff 100644
--- a/doc/README
+++ b/doc/README
@@ -10,7 +10,7 @@ common/general documentation, style sheets, JavaScript, etc.  The Sphinx
 config file is produced from ``conf.py.in``, and can be edited to change
 various Sphinx options.
 
-There is also a custom Sphinx domain implemented in ``source/ext/bro.py``
+There is also a custom Sphinx domain implemented in ``ext/bro.py``
 which adds some reST directives and roles that aid in generating useful
 index entries and cross-references.  Other extensions can be added in
 a similar fashion.
@@ -19,7 +19,8 @@ The ``make doc`` target in the top-level Makefile can be used to locally
 render the reST files into HTML.  That target depends on:
 
 * Python interpreter >= 2.5
-* `Sphinx <http://sphinx.pocoo.org/>`_ >= 1.0.1
+* `Sphinx <http://sphinx-doc.org/>`_ >= 1.0.1
+* doxygen (required only for building the Broccoli API doc)
 
 After completion, HTML documentation is symlinked in ``build/html``.
 
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 7400d640fe..d4dabdca0a 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -184,6 +184,11 @@ OpenBSD users, please see our `FAQ
 <http://www.bro.org/documentation/faq.html>`_ if you are having
 problems installing Bro.
 
+Finally, if you want to build the Bro documentation (not required, because
+all of the documentation for the latest Bro release is available on the
+Bro web site), there are instructions in ``doc/README`` in the source
+distribution.
+
 Configure the Run-Time Environment
 ==================================
 

From 06b6dc844705281121bd011e7eebff133ce5c814 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 27 Mar 2014 16:07:52 -0500
Subject: [PATCH 126/220] Add --parse-only option to exit after parsing
 scripts.

May be useful for syntax-checking tools.
---
 src/main.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/main.cc b/src/main.cc
index 53a0cb20ee..7b2a249b24 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -166,6 +166,7 @@ void usage()
 	fprintf(stderr, "bro version %s\n", bro_version());
 	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
 	fprintf(stderr, "    <file>                         | policy file, or read stdin\n");
+	fprintf(stderr, "    -a|--parse-only                | exit immediately after parsing scripts\n");
 	fprintf(stderr, "    -b|--bare-mode                 | don't load scripts from the base/ directory\n");
 	fprintf(stderr, "    -d|--debug-policy              | activate policy file debugging\n");
 	fprintf(stderr, "    -e|--exec <bro code>           | augment loaded policies by given code\n");
@@ -454,6 +455,7 @@ int main(int argc, char** argv)
 	char* seed_save_file = 0;
 	char* user_pcap_filter = 0;
 	char* debug_streams = 0;
+	int parse_only = false;
 	int bare_mode = false;
 	int seed = 0;
 	int dump_cfg = false;
@@ -465,6 +467,7 @@ int main(int argc, char** argv)
 	int print_plugins = 0;
 
 	static struct option long_opts[] = {
+		{"parse-only",	no_argument,		0,	'a'},
 		{"bare-mode",	no_argument,		0,	'b'},
 		{"debug-policy",	no_argument,		0,	'd'},
 		{"dump-config",		no_argument,		0,	'g'},
@@ -544,7 +547,7 @@ int main(int argc, char** argv)
 	opterr = 0;
 
 	char opts[256];
-	safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLNOPSWbdghv",
+	safe_strncpy(opts, "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGLNOPSWabdghv",
 		     sizeof(opts));
 
 #ifdef USE_PERFTOOLS_DEBUG
@@ -554,6 +557,10 @@ int main(int argc, char** argv)
 	int op;
 	while ( (op = getopt_long(argc, argv, opts, long_opts, &long_optsind)) != EOF )
 		switch ( op ) {
+		case 'a':
+			parse_only = true;
+			break;
+
 		case 'b':
 			bare_mode = true;
 			break;
@@ -890,6 +897,9 @@ int main(int argc, char** argv)
 		exit(1);
 		}
 
+	if ( parse_only )
+		exit(reporter->Errors() > 0 ? 1 : 0);
+
 #ifdef USE_PERFTOOLS_DEBUG
 	}
 #endif

From 9d6c8769eaee4b57dabbdc499c7a48af2fdc1a83 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 28 Mar 2014 08:37:37 -0400
Subject: [PATCH 127/220] Quick fix to the ElasticSearch writer.

---
 src/logging/writers/ElasticSearch.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/logging/writers/ElasticSearch.cc b/src/logging/writers/ElasticSearch.cc
index 1096316afd..0dd1e1097c 100644
--- a/src/logging/writers/ElasticSearch.cc
+++ b/src/logging/writers/ElasticSearch.cc
@@ -112,6 +112,8 @@ bool ElasticSearch::DoWrite(int num_fields, const Field* const * fields,
 
 	json->Describe(&buffer, num_fields, fields, vals);
 
+	buffer.AddRaw("\n", 1);
+
 	counter++;
 	if ( counter >= BifConst::LogElasticSearch::max_batch_size ||
 	     uint(buffer.Len()) >= BifConst::LogElasticSearch::max_byte_size )

From 254dd85bff57a7b62cf88f1405768fdd4fc0b7bf Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Fri, 28 Mar 2014 10:57:45 -0700
Subject: [PATCH 128/220] Change all &create_expire attributes to &read_expire
 in the cluster part of the sumstats framework.

This seems to fix a few rare problems.
---
 scripts/base/frameworks/sumstats/cluster.bro | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro
index 42311b8687..d4500c755b 100644
--- a/scripts/base/frameworks/sumstats/cluster.bro
+++ b/scripts/base/frameworks/sumstats/cluster.bro
@@ -70,11 +70,11 @@ redef Cluster::worker2manager_events += /SumStats::(send_a_key|send_no_key)/;
 # intermediate updates so they don't overwhelm their manager. The count that is
 # yielded is the number of times the percentage threshold has been crossed and
 # an intermediate result has been received.
-global recent_global_view_keys: table[string, Key] of count &create_expire=1min &default=0;
+global recent_global_view_keys: table[string, Key] of count &read_expire=1min &default=0;
 
 # Result tables indexed on a uid that are currently being sent to the
 # manager.
-global sending_results: table[string] of ResultTable = table() &create_expire=1min;
+global sending_results: table[string] of ResultTable = table() &read_expire=1min;
 
 # This is done on all non-manager node types in the event that a sumstat is
 # being collected somewhere other than a worker.
@@ -203,7 +203,7 @@ event SumStats::cluster_threshold_crossed(ss_name: string, key: SumStats::Key, t
 # This variable is maintained by manager nodes as they collect and aggregate
 # results.
 # Index on a uid.
-global stats_keys: table[string] of set[Key] &create_expire=1min 
+global stats_keys: table[string] of set[Key] &read_expire=1min 
 	&expire_func=function(s: table[string] of set[Key], idx: string): interval
 		{
 		Reporter::warning(fmt("SumStat key request for the %s SumStat uid took longer than 1 minute and was automatically cancelled.", idx));
@@ -216,16 +216,16 @@ global stats_keys: table[string] of set[Key] &create_expire=1min
 # result is written out and deleted from here.
 # Indexed on a uid.
 # TODO: add an &expire_func in case not all results are received.
-global done_with: table[string] of count &create_expire=1min &default=0;
+global done_with: table[string] of count &read_expire=1min &default=0;
 
 # This variable is maintained by managers to track intermediate responses as
 # they are getting a global view for a certain key.
 # Indexed on a uid.
-global key_requests: table[string] of Result &create_expire=1min;
+global key_requests: table[string] of Result &read_expire=1min;
 
 # Store uids for dynamic requests here to avoid cleanup on the uid.
 # (This needs to be done differently!)
-global dynamic_requests: set[string] &create_expire=1min;
+global dynamic_requests: set[string] &read_expire=1min;
 
 # This variable is maintained by managers to prevent overwhelming communication due
 # to too many intermediate updates.  Each sumstat is tracked separately so that

From 53dd2bb62d68d44acb86e2e8174e14a741fda21a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 19:54:45 +0200
Subject: [PATCH 129/220] Updating CHANGES and VERSION.

---
 CHANGES | 4 ++++
 VERSION | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 7751f1cb6f..3de38adea4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-251 | 2014-03-28 08:37:37 -0400
+
+  * Quick fix to the ElasticSearch writer. (Seth Hall)
+
 2.2-250 | 2014-03-19 17:20:55 -0400
 
   * Improve performance of MHR script by reducing cloned Vals in
diff --git a/VERSION b/VERSION
index be38aad62b..f9dab4f3d1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-250
+2.2-251

From 806851a21e43280f0e51919cb684f91302c93681 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 20:14:33 +0200
Subject: [PATCH 130/220] Don't include locations into serialization when
 cloning values.

This should save some memory, see BIT-1161.
---
 CHANGES    | 5 +++++
 VERSION    | 2 +-
 aux/broctl | 2 +-
 src/Val.cc | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8218d47ae0..4aff9f7a28 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.2-263 | 2014-03-30 20:19:05 +0200
+
+  * Don't include locations into serialization when cloning values.
+    (Robin Sommer)
+
 2.2-262 | 2014-03-30 20:12:47 +0200
 
   * Refactor SerializationFormat::EndWrite and ChunkedIO::Chunk memory
diff --git a/VERSION b/VERSION
index b5309fe89c..24d315c04a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-262
+2.2-263
diff --git a/aux/broctl b/aux/broctl
index f8273c9eb5..f6308a0f7e 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f8273c9eb5db1168c21b298cd3af4f9b4b008717
+Subproject commit f6308a0f7eb0bef8279fb1ed282474291633cdb9
diff --git a/src/Val.cc b/src/Val.cc
index 9b5b0b9d58..aa9c888d49 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -80,6 +80,7 @@ Val* Val::Clone() const
 	CloneSerializer ss(form);
 	SerialInfo sinfo(&ss);
 	sinfo.cache = false;
+	sinfo.include_locations = false;
 
 	if ( ! this->Serialize(&sinfo) )
 		return 0;

From 1292f1957d54b3054f554aef3f6fcdd0b24bbd33 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 20:21:43 +0200
Subject: [PATCH 131/220] Updating submodule(s).

 [nomail]
---
 CHANGES      | 5 +++++
 VERSION      | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/btest    | 2 +-
 cmake        | 2 +-
 magic        | 2 +-
 src/3rdparty | 2 +-
 10 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4aff9f7a28..a2a66cf53e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.2-267 | 2014-03-30 20:21:43 +0200
+
+  * Improve documentation of Bro clusters. Addresses BIT-1160. 
+    (Daniel Thayer)
+
 2.2-263 | 2014-03-30 20:19:05 +0200
 
   * Don't include locations into serialization when cloning values.
diff --git a/VERSION b/VERSION
index 24d315c04a..2794fa367f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-263
+2.2-267
diff --git a/aux/binpac b/aux/binpac
index fe27162849..a93ef13735 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit fe271628492b7b837b3fbcf4626061c8b3568589
+Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5
diff --git a/aux/bro-aux b/aux/bro-aux
index d7ac87294f..6748ec3a96 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit d7ac87294f415b5ddf3fc81bcae29815d2f835b1
+Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff
diff --git a/aux/broccoli b/aux/broccoli
index 3138e5068e..ebfa4de45a 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 3138e5068eeeb374c39c3d3b05b482b84d1f6e9c
+Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed
diff --git a/aux/broctl b/aux/broctl
index f6308a0f7e..2fb9ff62bf 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f6308a0f7eb0bef8279fb1ed282474291633cdb9
+Subproject commit 2fb9ff62bf08f78071753016863640022fbfe338
diff --git a/aux/btest b/aux/btest
index 4e2ec35917..44441a6c91 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 4e2ec35917acb883c7d2ab19af487f3863c687ae
+Subproject commit 44441a6c912c7c9f8d4771e042306ec5f44e461d
diff --git a/cmake b/cmake
index 58c64e663c..2a72c5e08e 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 58c64e663ca9f035f7741775acefce1f6c8d1ed3
+Subproject commit 2a72c5e08e018cf632033af3920432d5f684e130
diff --git a/magic b/magic
index 99c6b89230..e87fe13a7b 160000
--- a/magic
+++ b/magic
@@ -1 +1 @@
-Subproject commit 99c6b89230e2b9b0e781c42b0b9412d2ab4e14b2
+Subproject commit e87fe13a7b776182ffc8c75076d42702f5c28fed
diff --git a/src/3rdparty b/src/3rdparty
index 14c6ee979c..12b5cb446c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58
+Subproject commit 12b5cb446c8128bb22e5cbd7baa7d53669539487

From 4fb0288aa272f5df93b4228394bca544520fb348 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 22:21:58 +0200
Subject: [PATCH 132/220] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/btest    | 2 +-
 cmake        | 2 +-
 magic        | 2 +-
 src/3rdparty | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index a93ef13735..fe27162849 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5
+Subproject commit fe271628492b7b837b3fbcf4626061c8b3568589
diff --git a/aux/bro-aux b/aux/bro-aux
index 6748ec3a96..d7ac87294f 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff
+Subproject commit d7ac87294f415b5ddf3fc81bcae29815d2f835b1
diff --git a/aux/broccoli b/aux/broccoli
index ebfa4de45a..3138e5068e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed
+Subproject commit 3138e5068eeeb374c39c3d3b05b482b84d1f6e9c
diff --git a/aux/broctl b/aux/broctl
index 2fb9ff62bf..dad58c5d73 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 2fb9ff62bf08f78071753016863640022fbfe338
+Subproject commit dad58c5d73ab7678ff097e121114e7493057c8cf
diff --git a/aux/btest b/aux/btest
index 44441a6c91..4e2ec35917 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 44441a6c912c7c9f8d4771e042306ec5f44e461d
+Subproject commit 4e2ec35917acb883c7d2ab19af487f3863c687ae
diff --git a/cmake b/cmake
index 2a72c5e08e..58c64e663c 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 2a72c5e08e018cf632033af3920432d5f684e130
+Subproject commit 58c64e663ca9f035f7741775acefce1f6c8d1ed3
diff --git a/magic b/magic
index e87fe13a7b..99c6b89230 160000
--- a/magic
+++ b/magic
@@ -1 +1 @@
-Subproject commit e87fe13a7b776182ffc8c75076d42702f5c28fed
+Subproject commit 99c6b89230e2b9b0e781c42b0b9412d2ab4e14b2
diff --git a/src/3rdparty b/src/3rdparty
index 12b5cb446c..14c6ee979c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 12b5cb446c8128bb22e5cbd7baa7d53669539487
+Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58

From f0eb1443039d83eebfa1d6bf0d881161cdd274d7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 22:51:26 +0200
Subject: [PATCH 133/220] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 14c6ee979c..3b3e189dab 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58
+Subproject commit 3b3e189dab3801cd0474dfdd376d9de633cd3766

From 8fe5103176ab70d90ade2845a08c956137f6b6bd Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sun, 30 Mar 2014 23:05:54 +0200
Subject: [PATCH 134/220] Adding test baseline for
 scripts.policy.misc.dump-events.

---
 CHANGES                                        |  2 +-
 VERSION                                        |  2 +-
 .../all-events.log                             | 18 +++++++++---------
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index c94c2e40ad..d6c7fd4007 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.2-302 | 2014-03-30 22:40:32 +0200
+2.2-304 | 2014-03-30 23:05:54 +0200
 
   * Replace libmagic w/ Bro signatures for file MIME type
     identification. Addresses BIT-1143. (Jon Siwek)
diff --git a/VERSION b/VERSION
index fa8a4e2e3c..bf70645cc1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-302
+2.2-304
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index dc4e0fd8e5..9f61bfbd3b 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -305,15 +305,15 @@
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -337,10 +337,10 @@
                   [2] is_orig: bool      = F
 
 1254722770.692786 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692786 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=3070, state=4, num_pkts=10, num_bytes_ip=2018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.16374, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
@@ -358,7 +358,7 @@
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1918, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692804, seen_bytes=1918, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">^M^J^M^J<head>^M^J<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">^M^J<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">^M^J<style>^M^J<!--^M^J /* Font Definitions */^M^J @font-face^M^J^I{font-family:"Cambria Math";^M^J^Ipanose-1:2 4 5 3 5 4 6 3 2 4;}^M^J@font-face^M^J^I{font-family:Calibri;^M^J^Ipanose-1:2 15 5 2 2 2 4 3 2 4;}^M^J /* Style Definitions */^M^J p.MsoNormal, li.MsoNormal, div.MsoNormal^M^J^I{margin:0in;^M^J^Imargin-bottom:.0001pt;^M^J^Ifont-size:11.0pt;^M^J^Ifont-family:"Calibri","sans-serif";}^M^Ja:link, span.MsoHyperlink^M^J^I{mso-style-priority:99;^M^J^Icolor:blue;^M^J^Itext-decoration:underline;}^M^Ja:visited, span.MsoHyperlinkFollowed^M^J^I{mso-style-priority:99;^M^J^Icolor:purple;^M^J^Itext-decoration:underline;}^M^Jspan.EmailStyle17^M^J^I{mso-style-type:personal-c, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692786, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
@@ -399,10 +399,10 @@
                   [2] is_orig: bool      = F
 
 1254722770.692823 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692823 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
                   [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=5990, state=4, num_pkts=12, num_bytes_ip=5018, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163777, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I<raj_deol2002in@yahoo.co.in>^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I<raj_deol2002in@yahoo.co.in>^J}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
@@ -468,7 +468,7 @@
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10823, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<gurpartap@patriots.in>, rcptto={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={^J^I^I<raj_deol2002in@yahoo.co.in>^J^I}, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]^J}, last_active=1254722771.858334, seen_bytes=10823, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: 20^M^J  - Strip executable^M^J  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, 20^M^J    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J  - Enable use of processor specific built-in function, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>], u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP

From 559fa595c7901273ed6bfb32661cc3c3fb04cf88 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 31 Mar 2014 11:57:53 -0700
Subject: [PATCH 135/220] Updating submodule(s).

 [nomail]
---
 aux/broctl   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index dad58c5d73..f8273c9eb5 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit dad58c5d73ab7678ff097e121114e7493057c8cf
+Subproject commit f8273c9eb5db1168c21b298cd3af4f9b4b008717
diff --git a/src/3rdparty b/src/3rdparty
index 3b3e189dab..14c6ee979c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 3b3e189dab3801cd0474dfdd376d9de633cd3766
+Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58

From a9bbff932b13d9f0a86989aa241edc76852d7465 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 31 Mar 2014 12:01:16 -0700
Subject: [PATCH 136/220] Updating submodule(s).

 [nomail]
---
 aux/broctl   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index f8273c9eb5..dad58c5d73 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f8273c9eb5db1168c21b298cd3af4f9b4b008717
+Subproject commit dad58c5d73ab7678ff097e121114e7493057c8cf
diff --git a/src/3rdparty b/src/3rdparty
index 14c6ee979c..3b3e189dab 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 14c6ee979c85875b0599d36fd139c0beef2c6b58
+Subproject commit 3b3e189dab3801cd0474dfdd376d9de633cd3766

From b2f8196dc286af424bd99de636859df2d9d33a77 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 31 Mar 2014 14:06:34 -0700
Subject: [PATCH 137/220] fix potential memleak in x509 parser reported by
 coverity

---
 src/file_analysis/analyzer/x509/X509.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 3bdfb034ac..86f13f8760 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -223,11 +223,11 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
 
-	RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
 	BASIC_CONSTRAINTS *constr = (BASIC_CONSTRAINTS *) X509V3_EXT_d2i(ex);
 
 	if ( constr )
 		{
+		RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
 		pBasicConstraint->Assign(0, new Val(constr->ca ? 1 : 0, TYPE_BOOL));
 
 		if ( constr->pathlen )

From acc721c36c21386bbcd92a643018ef5df6d06e6a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 31 Mar 2014 16:32:58 -0500
Subject: [PATCH 138/220] Fix mem leak and unchecked dynamic cast reported by
 Coverity.

---
 src/RuleMatcher.cc                 | 4 ++++
 src/analyzer/protocol/file/File.cc | 7 ++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 65fbe5602d..5e9dff0a1f 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -686,6 +686,10 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 		loop_over_list(r->actions, rai)
 			{
 			const RuleActionMIME* ram = dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
+
+			if ( ! ram )
+				continue;
+
 			set<string>& ss = (*rval)[ram->GetStrength()];
 			ss.insert(ram->GetMIME());
 			}
diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 7c471e17cf..4476043721 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -49,12 +49,9 @@ void File_Analyzer::Done()
 
 void File_Analyzer::Identify()
 	{
-	RuleFileMagicState* fms = rule_matcher->InitFileMagic();
 	RuleMatcher::MIME_Matches matches;
-
-	rule_matcher->Match(fms, reinterpret_cast<const u_char*>(buffer),
-	                    buffer_len, &matches);
-
+	file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len,
+	                     &matches);
 	string match = matches.empty() ? "<unknown>"
 	                               : *(matches.begin()->second.begin());
 	val_list* vl = new val_list;

From 4f031449b4c70b17fd31544968ee3a835c41560a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 31 Mar 2014 18:09:42 -0700
Subject: [PATCH 139/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index dad58c5d73..e3ae2640b6 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit dad58c5d73ab7678ff097e121114e7493057c8cf
+Subproject commit e3ae2640b68ad4ce87ec6cdb09d8e6a5d54d2caf

From a30caf6960d84451cf5a4788bc486dad59927348 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 1 Apr 2014 10:29:41 -0500
Subject: [PATCH 140/220] Fix potential mem leak in IP frag reassembly.

Reported by Coverity, but it's not a typical code path.
---
 src/Frag.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Frag.cc b/src/Frag.cc
index b1efb41594..30bec88af1 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -260,6 +260,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 			reporter->InternalWarning("bad fragment reassembly");
 			DeleteTimer();
 			Expire(network_time);
+			delete [] pkt_start;
 			return;
 			}
 

From 0c82b6aa14b324486e87951c9917c4fc5d8f06d6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 1 Apr 2014 11:00:10 -0500
Subject: [PATCH 141/220] Fix a couple nits reported by Coverity.

An unnecessary null pointer check and uninitialized scalar fields.
Don't expect these to be actual problems, but easy enough to fix in
order to silence Coverity.
---
 src/Net.cc                   | 4 +---
 src/logging/writers/Ascii.cc | 3 +++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Net.cc b/src/Net.cc
index 83fcde1df4..bca640b5d2 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -312,9 +312,7 @@ void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
 	if ( ! bro_start_network_time )
 		bro_start_network_time = t;
 
-	TimerMgr* tmgr =
-		src_ps ? sessions->LookupTimerMgr(src_ps->GetCurrentTag())
-			: timer_mgr;
+	TimerMgr* tmgr = sessions->LookupTimerMgr(src_ps->GetCurrentTag());
 
 	// network_time never goes back.
 	network_time = tmgr->Time() < t ? t : tmgr->Time();
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index a04b30cbae..b926a6c55b 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -19,7 +19,10 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	{
 	fd = 0;
 	ascii_done = false;
+	output_to_stdout = false;
+	include_meta = false;
 	tsv = false;
+	use_json = false;
 	formatter = 0;
 	}
 

From e2c71abe9b5217fa4abcec48991313e2f98022df Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 1 Apr 2014 14:23:09 -0500
Subject: [PATCH 142/220] Improve __load__.bro creation for .bif.bro stubs.

The new loader scripts should not try to @load .bif.bro scripts that
were part of a build of an earlier Bro version, but have since had their
.bif file removed.
---
 src/CMakeLists.txt                            |  7 +++++--
 .../canonified_loaded_scripts.log             | 20 +++++++++----------
 .../canonified_loaded_scripts.log             | 20 +++++++++----------
 3 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 6448f519a9..cbb053e132 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -9,6 +9,9 @@ set(bro_ALL_GENERATED_OUTPUTS  CACHE INTERNAL "automatically generated files" FO
 # This collects bif inputs that we'll load automatically.
 set(bro_AUTO_BIFS CACHE INTERNAL "BIFs for automatic inclusion" FORCE)
 
+set(bro_BASE_BIF_SCRIPTS CACHE INTERNAL "Bro script stubs for BIFs in base distribution of Bro" FORCE)
+set(bro_PLUGIN_BIF_SCRIPTS CACHE INTERNAL "Bro script stubs for BIFs in Bro plugins" FORCE)
+
 # If TRUE, use CMake's object libraries for sub-directories instead of
 # static libraries. This requires CMake >= 2.8.8.
 set(bro_HAVE_OBJECT_LIBRARIES FALSE)
@@ -402,12 +405,12 @@ add_custom_target(generate_outputs)
 add_dependencies(generate_outputs generate_outputs_stage2)
 
 # Build __load__.bro files for standard *.bif.bro.
-bro_bif_create_loader(bif_loader ${CMAKE_BINARY_DIR}/scripts/base/bif)
+bro_bif_create_loader(bif_loader "${bro_BASE_BIF_SCRIPTS}")
 add_dependencies(bif_loader ${bro_SUBDIRS})
 add_dependencies(bro bif_loader)
 
 # Build __load__.bro files for plugins/*.bif.bro.
-bro_bif_create_loader(bif_loader_plugins ${CMAKE_BINARY_DIR}/scripts/base/bif/plugins)
+bro_bif_create_loader(bif_loader_plugins "${bro_PLUGIN_BIF_SCRIPTS}")
 add_dependencies(bif_loader_plugins ${bro_SUBDIRS})
 add_dependencies(bro bif_loader_plugins)
 
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 4e0e2be8e9..f4eb12d09f 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-03-03-20-45-31
+#open	2014-04-01-19-07-42
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -24,9 +24,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
@@ -40,12 +37,12 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
@@ -62,12 +59,15 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -99,9 +99,9 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/bloom-filter.bif.bro
-    build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
+    build/scripts/base/bif/broxygen.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2014-03-04-06-37-10
+#close	2014-04-01-19-07-42
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 06e46737b5..a54c434e38 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-03-13-22-14-10
+#open	2014-04-01-19-07-49
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -24,9 +24,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Finger.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
@@ -40,12 +37,12 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Login.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_MIME.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_NetFlow.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
@@ -62,12 +59,15 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
     build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -99,9 +99,9 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/bloom-filter.bif.bro
-    build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/cardinality-counter.bif.bro
     build/scripts/base/bif/top-k.bif.bro
+    build/scripts/base/bif/broxygen.bif.bro
 scripts/base/init-default.bro
   scripts/base/utils/active-http.bro
     scripts/base/utils/exec.bro
@@ -228,4 +228,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-03-03-20-45-54
+#close	2014-04-01-19-07-49

From 01d075bf2d44835d966570d295cbe87536d296e3 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 1 Apr 2014 16:16:50 -0700
Subject: [PATCH 143/220] Change #types description of sets to set

Addresses BIT-1163
---
 src/threading/SerialTypes.cc                       |  4 ++++
 testing/btest/Baseline/core.mpls-in-vlan/conn.log  |  6 +++---
 testing/btest/Baseline/core.pppoe/conn.log         |  6 +++---
 .../btest/Baseline/core.print-bpf-filters/conn.log |  6 +++---
 testing/btest/Baseline/core.q-in-q/conn.log        |  6 +++---
 .../btest/Baseline/core.tcp.miss-end-data/conn.log |  6 +++---
 testing/btest/Baseline/core.tunnels.ayiya/conn.log |  6 +++---
 testing/btest/Baseline/core.tunnels.ayiya/http.log |  6 +++---
 .../Baseline/core.tunnels.gre-in-gre/conn.log      |  6 +++---
 testing/btest/Baseline/core.tunnels.gre/conn.log   |  6 +++---
 .../core.tunnels.gtp.different_dl_and_ul/conn.log  |  6 +++---
 .../core.tunnels.gtp.different_dl_and_ul/http.log  |  6 +++---
 .../Baseline/core.tunnels.gtp.false_gtp/conn.log   |  6 +++---
 .../Baseline/core.tunnels.gtp.inner_ipv6/conn.log  |  6 +++---
 .../core.tunnels.gtp.inner_teredo/conn.log         |  6 +++---
 .../core.tunnels.gtp.not_user_plane_data/conn.log  |  6 +++---
 .../Baseline/core.tunnels.gtp.opt_header/conn.log  |  6 +++---
 .../core.tunnels.gtp.outer_ip_frag/conn.log        |  6 +++---
 .../core.tunnels.gtp.outer_ip_frag/http.log        |  6 +++---
 .../known_services.log                             |  6 +++---
 .../btest/Baseline/core.tunnels.teredo/conn.log    |  6 +++---
 .../btest/Baseline/core.tunnels.teredo/http.log    |  6 +++---
 .../conn.log                                       |  6 +++---
 .../http.log                                       |  6 +++---
 testing/btest/Baseline/core.vlan-mpls/conn.log     |  6 +++---
 .../btest-doc.sphinx.ftp-bruteforce#1              |  6 +++---
 .../btest-doc.sphinx.http_proxy_04#1               |  6 +++---
 .../btest-doc.sphinx.using_bro#1                   |  4 ++--
 .../Baseline/istate.events-ssl/receiver.http.log   |  8 ++++----
 .../Baseline/istate.events-ssl/sender.http.log     |  8 ++++----
 .../btest/Baseline/istate.events/receiver.http.log |  8 ++++----
 .../btest/Baseline/istate.events/sender.http.log   |  8 ++++----
 .../language.init-in-anon-function/http.log        |  6 +++---
 .../files.log                                      |  6 +++---
 .../manager-1.intel.log                            |  8 ++++----
 .../broproc.intel.log                              | 10 +++++-----
 .../manager-1.intel.log                            | 14 +++++++-------
 .../http.log                                       |  6 +++---
 .../test.log                                       |  6 +++---
 .../conn.ds.txt                                    |  2 +-
 .../conn.ds.txt                                    |  2 +-
 .../http.ds.txt                                    |  4 ++--
 .../receiver.test.log                              |  8 ++++----
 .../scripts.base.frameworks.logging.types/ssh.log  |  8 ++++----
 .../http.log                                       |  6 +++---
 .../manager-1.notice.log                           |  8 ++++----
 .../manager-1.notice.log                           |  8 ++++----
 .../notice.log                                     |  8 ++++----
 .../scripts.base.protocols.ftp.ftp-ipv4/conn.log   |  6 +++---
 .../scripts.base.protocols.ftp.ftp-ipv6/conn.log   |  6 +++---
 .../scripts.base.protocols.ftp.gridftp/conn.log    |  6 +++---
 .../scripts.base.protocols.ftp.gridftp/notice.log  |  6 +++---
 .../http.log                                       |  6 +++---
 .../conn.log                                       |  6 +++---
 .../http.log                                       |  6 +++---
 .../smtp.log                                       |  6 +++---
 .../http.log                                       |  6 +++---
 .../http.log                                       |  6 +++---
 .../http.log                                       |  6 +++---
 .../scripts.base.protocols.smtp.basic/smtp.log     |  6 +++---
 .../notice.log                                     | 10 +++++-----
 .../knownservices-all.log                          |  6 +++---
 .../knownservices-local.log                        |  6 +++---
 .../knownservices-remote.log                       |  6 +++---
 .../notice.log                                     |  6 +++---
 .../Baseline/signatures.eval-condition/conn.log    |  6 +++---
 66 files changed, 211 insertions(+), 207 deletions(-)

diff --git a/src/threading/SerialTypes.cc b/src/threading/SerialTypes.cc
index a4f76a9b2d..af98b0af46 100644
--- a/src/threading/SerialTypes.cc
+++ b/src/threading/SerialTypes.cc
@@ -68,6 +68,10 @@ string Field::TypeName() const
 	{
 	string n = type_name(type);
 
+	// we do not support tables, if the internal bro type is table it always is a set
+	if ( type == TYPE_TABLE )
+		n = "set";
+
 	if ( (type == TYPE_TABLE) || (type == TYPE_VECTOR) )
 		{
 		n += "[";
diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
index e8ee793b75..9fc50c0690 100644
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-02-14-20-04-20
+#open	2014-04-01-22-56-13
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1371685686.536606	CXWv6p3arKYeMETxOg	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	257	0	0	(empty)
 1371686961.156859	CjhGID4nQcgTWjvg4c	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	d	0	0	1	1500	(empty)
 1371686961.479321	CCvvfg3TEfuqmmG4bh	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	0	D	1	710	0	0	(empty)
-#close	2014-02-14-20-04-20
+#close	2014-04-01-22-56-13
diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
index 641696bf64..232a84baa0 100644
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-12
+#open	2014-04-01-22-56-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1284385418.014560	CPbrpk1qSsw6ESzHV4	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	0	D	2	288	0	0	(empty)
 1284385417.962560	CRJuHdVW0XPVINV8a	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	0	D	2	210	0	0	(empty)
 1284385411.091560	CjhGID4nQcgTWjvg4c	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
@@ -13,4 +13,4 @@
 1284385451.658560	C6pKV8GSxOnSLghOa	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	0	-	5	500	5	500	(empty)
 1284385413.027560	CsRx2w45OKnoww6xl4	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
 1284385412.963560	CCvvfg3TEfuqmmG4bh	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	48	0	0	(empty)
-#close	2013-08-26-19-02-12
+#close	2014-04-01-22-56-20
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index e874d27959..8cc2a0b949 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-14
+#open	2014-04-01-22-56-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1278600802.069419	CXWv6p3arKYeMETxOg	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2013-08-26-19-02-14
+#close	2014-04-01-22-56-24
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
index 9a6e2a235f..c54ee71e71 100644
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-13
+#open	2014-04-01-22-56-29
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1363900699.548138	CXWv6p3arKYeMETxOg	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	0	D	2	92	0	0	(empty)
 1363900699.549647	CjhGID4nQcgTWjvg4c	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	0	D	2	608	0	0	(empty)
-#close	2013-08-26-19-02-13
+#close	2014-04-01-22-56-29
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
index 723e5becc3..90ad080977 100644
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-01-24-22-19-38
+#open	2014-04-01-22-56-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1331764471.664131	CXWv6p3arKYeMETxOg	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	2902	ShADafF	5	750	4	172	(empty)
-#close	2014-01-24-22-19-38
+#close	2014-04-01-22-56-36
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
index 8efd9fa5ac..006406de4d 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-29
+#open	2014-04-01-22-56-43
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1257655301.595604	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	0	ShADad	10	3605	11	5329	CCvvfg3TEfuqmmG4bh
 1257655296.585034	CCvvfg3TEfuqmmG4bh	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	0	Dd	21	5717	13	6473	(empty)
 1257655293.629048	CXWv6p3arKYeMETxOg	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	0	d	0	0	1	176	(empty)
@@ -14,4 +14,4 @@
 1257655296.585188	CPbrpk1qSsw6ESzHV4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff00:2	130	icmp	-	0.919988	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
 1257655296.585151	CRJuHdVW0XPVINV8a	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
 1257655296.585034	CsRx2w45OKnoww6xl4	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	0	-	2	144	0	0	CCvvfg3TEfuqmmG4bh
-#close	2013-08-26-18-38-29
+#close	2014-04-01-22-56-43
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/http.log b/testing/btest/Baseline/core.tunnels.ayiya/http.log
index 7fa21931d0..8776a41295 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/http.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/http.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-34-59
+#open	2014-04-01-22-56-43
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1257655301.652206	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	10102	200	OK	-	-	-	(empty)	-	-	-	-	-	FYAtjT24MvCBUs5K5f	text/html
 1257655302.514424	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	2	GET	ipv6.google.com	/csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-	-
 1257655303.603569	CIPOse170MGiRM1Qf4	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	3	GET	ipv6.google.com	/gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600	http://ipv6.google.com/	Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre)	0	0	204	No Content	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-34-59
+#close	2014-04-01-22-56-43
diff --git a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
index 6da1bd2132..c1e6e708ff 100644
--- a/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre-in-gre/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-01-16-21-51-36
+#open	2014-04-01-22-56-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1341436440.002928	CRJuHdVW0XPVINV8a	3.3.3.2	520	224.0.0.9	520	udp	-	26.148268	48	0	S0	-	0	D	2	104	0	0	CjhGID4nQcgTWjvg4c
 1341436424.378840	CsRx2w45OKnoww6xl4	3.3.3.1	520	224.0.0.9	520	udp	-	28.555457	168	0	S0	-	0	D	2	224	0	0	CjhGID4nQcgTWjvg4c
 1341436424.204043	CCvvfg3TEfuqmmG4bh	10.10.25.1	8	192.168.1.2	0	icmp	-	42.380221	22464	22464	OTH	-	0	-	312	31200	312	31200	CjhGID4nQcgTWjvg4c
-#close	2014-01-16-21-51-36
+#close	2014-04-01-22-56-55
diff --git a/testing/btest/Baseline/core.tunnels.gre/conn.log b/testing/btest/Baseline/core.tunnels.gre/conn.log
index b29d87f40a..79295e476c 100644
--- a/testing/btest/Baseline/core.tunnels.gre/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gre/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-01-16-21-51-12
+#open	2014-04-01-22-56-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1055289978.756932	CsRx2w45OKnoww6xl4	66.59.111.190	40264	172.28.2.3	22	tcp	ssh	3.157831	952	1671	SF	-	0	ShAdDaFf	12	1584	10	2199	CXWv6p3arKYeMETxOg
 1055289987.055189	CRJuHdVW0XPVINV8a	66.59.111.190	37675	172.28.2.3	53	udp	dns	5.001141	66	0	S0	-	0	D	2	122	0	0	CXWv6p3arKYeMETxOg
 1055289996.849099	CIPOse170MGiRM1Qf4	66.59.111.190	123	129.170.17.4	123	udp	-	0.072374	48	48	SF	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
@@ -13,4 +13,4 @@
 1055289992.849231	C6pKV8GSxOnSLghOa	66.59.111.190	123	66.59.111.182	123	udp	-	0.056629	48	48	SF	-	0	Dd	1	76	1	76	CXWv6p3arKYeMETxOg
 1055289968.793044	CjhGID4nQcgTWjvg4c	66.59.111.190	8	172.28.2.3	0	icmp	-	3.061298	224	224	OTH	-	0	-	4	336	4	336	CXWv6p3arKYeMETxOg
 1055289987.106744	CPbrpk1qSsw6ESzHV4	172.28.2.3	3	66.59.111.190	3	icmp	-	4.994662	122	0	OTH	-	0	-	2	178	0	0	CXWv6p3arKYeMETxOg
-#close	2014-01-16-21-51-12
+#close	2014-04-01-22-56-51
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
index d696f70259..064aa5ae2c 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-29
+#open	2014-04-01-22-56-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458850.321642	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	0	ShADadf	29	2310	49	65396	CXWv6p3arKYeMETxOg,CCvvfg3TEfuqmmG4bh
 1333458850.325787	CCvvfg3TEfuqmmG4bh	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	0	D	49	67160	0	0	(empty)
 1333458850.321642	CXWv6p3arKYeMETxOg	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	0	D	29	3354	0	0	(empty)
-#close	2013-08-26-18-38-29
+#close	2014-04-01-22-56-58
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
index f8715d86c2..a21f888032 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-02-16
+#open	2014-04-01-22-56-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1333458850.340368	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	1	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	-	-	FHKKd91EMHBEK0hbdg	application/x-shockwave-flash
 1333458850.399501	CjhGID4nQcgTWjvg4c	10.131.17.170	51803	173.199.115.168	80	2	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	-	-	Fu64Vqjy6nBop9nRd	application/x-shockwave-flash
-#close	2013-08-26-19-02-16
+#close	2014-04-01-22-56-58
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
index 4b65626908..fcd76f1844 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-17
+#open	2014-04-01-22-57-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458871.219794	CXWv6p3arKYeMETxOg	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	0	D	1	64	0	0	(empty)
-#close	2013-08-26-19-02-17
+#close	2014-04-01-22-57-03
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
index ee444fe4f1..113201ff6b 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-30
+#open	2014-04-01-22-57-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458851.770000	CjhGID4nQcgTWjvg4c	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	0	D	1	80	0	0	CXWv6p3arKYeMETxOg
 1333458851.770000	CXWv6p3arKYeMETxOg	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	0	D	2	208	0	0	(empty)
 1333458851.969236	CCvvfg3TEfuqmmG4bh	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	56	0	0	CXWv6p3arKYeMETxOg
-#close	2013-08-26-18-38-30
+#close	2014-04-01-22-57-05
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
index 9ec1472184..ca63125d8e 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-30
+#open	2014-04-01-22-57-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458850.037956	CEle3f3zno26fFZkrh	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	C3SfNE4BWaU4aSuwkc
 1333458850.040098	CwSkQu4eWZCH7OONC1	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	0	D	2	248	0	0	(empty)
 1333458850.016620	CsRx2w45OKnoww6xl4	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	0	D	1	80	0	0	CCvvfg3TEfuqmmG4bh
@@ -23,4 +23,4 @@
 1333458850.035456	CMXxB5GvmoxJFXdTa	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	CJ3xTn1c4Zw9TmAE05
 1333458850.016620	CRJuHdVW0XPVINV8a	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	0	-	1	52	0	0	CsRx2w45OKnoww6xl4
 1333458850.035456	Caby8b1slFea8xwSmb	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	0	-	2	96	0	0	Che1bq3i2rO3KD1Syg,CMXxB5GvmoxJFXdTa
-#close	2013-08-26-18-38-30
+#close	2014-04-01-22-57-08
diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
index 06426dd65e..db8d3ee190 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-18
+#open	2014-04-01-22-57-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458850.532814	CXWv6p3arKYeMETxOg	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	0	D	1	52	0	0	(empty)
 1333458850.867091	CjhGID4nQcgTWjvg4c	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	0	Dd	1	40	1	42	(empty)
-#close	2013-08-26-19-02-18
+#close	2014-04-01-22-57-11
diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
index cd33ef39f8..6660656315 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-31
+#open	2014-04-01-22-57-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458852.011535	CjhGID4nQcgTWjvg4c	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	0	ShADad	17	1604	14	1762	CXWv6p3arKYeMETxOg
 1333458852.011535	CXWv6p3arKYeMETxOg	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	0	Dd	17	2216	14	2322	(empty)
-#close	2013-08-26-18-38-31
+#close	2014-04-01-22-57-12
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
index bc21b87714..2367df6b8d 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-31
+#open	2014-04-01-22-57-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1333458850.364667	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	0	ShADadfF	27	3204	41	52594	CXWv6p3arKYeMETxOg
 1333458850.364667	CXWv6p3arKYeMETxOg	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	0	Dd	27	4176	41	54070	(empty)
-#close	2013-08-26-18-38-31
+#close	2014-04-01-22-57-15
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
index 0048ce0a40..ab4b369533 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-02-18
+#open	2014-04-01-22-57-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1333458850.375568	CjhGID4nQcgTWjvg4c	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	-	-	FNJkBA1b8FSHt5N8jl	-
-#close	2013-08-26-19-02-18
+#close	2014-04-01-22-57-15
diff --git a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log b/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
index 705cd0e956..1330c6c505 100644
--- a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
+++ b/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	known_services
-#open	2012-10-02-20-10-05
+#open	2014-04-01-22-57-25
 #fields	ts	host	port_num	port_proto	service
-#types	time	addr	port	enum	table[string]
+#types	time	addr	port	enum	set[string]
 1258567191.405770	192.168.1.1	53	udp	TEREDO
-#close	2012-10-02-20-10-05
+#close	2014-04-01-22-57-25
diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log
index 20d5a270ce..64fe869295 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-32
+#open	2014-04-01-22-57-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1210953047.736921	CjhGID4nQcgTWjvg4c	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	0	fA	1	40	1	40	(empty)
 1210953050.867067	CCvvfg3TEfuqmmG4bh	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	0	fA	1	40	1	40	(empty)
 1210953057.833364	CIPOse170MGiRM1Qf4	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	0	Fa	1	40	1	40	(empty)
@@ -27,4 +27,4 @@
 1210953052.324629	C6pKV8GSxOnSLghOa	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	CPbrpk1qSsw6ESzHV4
 1210953060.829303	CEle3f3zno26fFZkrh	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	0	-	1	52	1	52	C3SfNE4BWaU4aSuwkc,CsRx2w45OKnoww6xl4
 1210953052.202579	CRJuHdVW0XPVINV8a	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	CsRx2w45OKnoww6xl4
-#close	2013-08-26-18-38-32
+#close	2014-04-01-22-57-21
diff --git a/testing/btest/Baseline/core.tunnels.teredo/http.log b/testing/btest/Baseline/core.tunnels.teredo/http.log
index f2422ac4b0..9a9776b7f3 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/http.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/http.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-35-02
+#open	2014-04-01-22-57-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1210953057.917183	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	Fp32SIJztq0Szn5Qc	text/plain	-	-
 1210953061.585996	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FNFYdH11h5iQcoD3a2	text/html
 1210953073.381474	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FHD5nv1iSVFZVM0aH7	text/html
 1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	application/xml
-#close	2013-08-26-19-35-02
+#close	2014-04-01-22-57-21
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
index e42ab8749b..5a55c8871d 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-18-38-32
+#open	2014-04-01-22-57-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1340127577.354166	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	0	ShADad	10	2279	12	11191	CRJuHdVW0XPVINV8a
 1340127577.336558	CXWv6p3arKYeMETxOg	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	0	Dd	2	185	1	80	(empty)
 1340127577.341510	CRJuHdVW0XPVINV8a	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	0	Dd	12	2703	13	11607	(empty)
@@ -13,4 +13,4 @@
 1340127577.339015	CsRx2w45OKnoww6xl4	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	0	-	1	88	0	0	CCvvfg3TEfuqmmG4bh
 1340127577.343969	CPbrpk1qSsw6ESzHV4	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	0	-	1	52	1	52	CXWv6p3arKYeMETxOg,CRJuHdVW0XPVINV8a
 1340127577.336558	CjhGID4nQcgTWjvg4c	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	CXWv6p3arKYeMETxOg
-#close	2013-08-26-18-38-32
+#close	2014-04-01-22-57-27
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
index 6d91b844de..eff4b8ff36 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-35-02
+#open	2014-04-01-22-57-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1340127577.361683	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FWSTWv4EZLVlc2Zywi	text/html
 1340127577.379360	C6pKV8GSxOnSLghOa	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FGKV3B3jz083xhGO13	text/html
-#close	2013-08-26-19-35-02
+#close	2014-04-01-22-57-27
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
index 26a46e51cf..55a0f2b161 100644
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-02-20
+#open	2014-04-01-22-57-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 952109346.874907	CXWv6p3arKYeMETxOg	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	0	SADF	11	470	0	0	(empty)
 1128727435.450898	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	0	ShADdFaf	12	730	10	9945	(empty)
 1278600802.069419	CCvvfg3TEfuqmmG4bh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	0	ShADadfF	7	381	7	3801	(empty)
-#close	2013-08-26-19-02-20
+#close	2014-04-01-22-57-31
diff --git a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
index 35bb3fca30..55bbccb828 100644
--- a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
+++ b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2014-01-21-21-56-07
+      #open	2014-04-01-22-59-07
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
+      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
       1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2014-01-21-21-56-07
+      #close	2014-04-01-22-59-07
 
diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
index cfe35296cb..33536d492d 100644
--- a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
+++ b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2014-01-21-20-11-20
+      #open	2014-04-01-22-59-14
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
+      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
       1389654450.449603	CXWv6p3arKYeMETxOg	192.168.56.1	52679	192.168.56.101	80	-	-	-	tcp	HTTP::Open_Proxy	A local server is acting as an open proxy: 192.168.56.101	-	192.168.56.1	192.168.56.101	80	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-      #close	2014-01-21-20-11-20
+      #close	2014-04-01-22-59-15
 
diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
index 53bcb5581d..e1da11a146 100644
--- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
+++ b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	conn
-      #open	2013-10-07-23-48-15
+      #open	2014-04-01-22-59-28
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-      #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+      #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
       1300475167.096535	CXWv6p3arKYeMETxOg	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
       1300475167.097012	CjhGID4nQcgTWjvg4c	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	0	D	1	199	0	0	(empty)
       1300475167.099816	CCvvfg3TEfuqmmG4bh	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	179	0	0	(empty)
diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
index 58d6f075f2..b19aa4e229 100644
--- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-36-03
+#open	2014-04-01-23-00-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1377545762.339375	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-36-04
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1396393217.023534	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-04-01-23-00-19
diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log
index 58d6f075f2..b19aa4e229 100644
--- a/testing/btest/Baseline/istate.events-ssl/sender.http.log
+++ b/testing/btest/Baseline/istate.events-ssl/sender.http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-36-03
+#open	2014-04-01-23-00-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1377545762.339375	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-36-04
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1396393217.023534	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-04-01-23-00-19
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log
index 58d6f075f2..50de2e7aa5 100644
--- a/testing/btest/Baseline/istate.events/receiver.http.log
+++ b/testing/btest/Baseline/istate.events/receiver.http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-36-03
+#open	2014-04-01-22-59-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1377545762.339375	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-36-04
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1396393198.822094	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-04-01-23-00-00
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log
index ed1f15c8ab..50de2e7aa5 100644
--- a/testing/btest/Baseline/istate.events/sender.http.log
+++ b/testing/btest/Baseline/istate.events/sender.http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-03-34
+#open	2014-04-01-22-59-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1377543813.907864	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-03-35
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1396393198.822094	CjhGID4nQcgTWjvg4c	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	(empty)	-	-	-	-	-	-	-
+#close	2014-04-01-23-00-00
diff --git a/testing/btest/Baseline/language.init-in-anon-function/http.log b/testing/btest/Baseline/language.init-in-anon-function/http.log
index 9dfebce2ea..2f4bbbb8e4 100644
--- a/testing/btest/Baseline/language.init-in-anon-function/http.log
+++ b/testing/btest/Baseline/language.init-in-anon-function/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-01-23-22-15-45
+#open	2014-04-01-23-12-50
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1300475168.784020	CRJuHdVW0XPVINV8a	141.142.0.0	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.0.0	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475168.916183	C7XEbhP654jzLoe3a	141.142.0.0	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
@@ -20,4 +20,4 @@
 1300475169.014619	CyAhVIzHqb7t7kv28	141.142.0.0	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475169.014593	CzA03V1VcgagLjnO92	141.142.0.0	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.0.0	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2014-01-23-22-15-45
+#close	2014-04-01-23-12-50
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
index 447d991f3e..cc185a4f1b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2013-08-26-18-39-03
+#open	2014-04-01-23-13-35
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
-#types	time	string	table[addr]	table[addr]	table[string]	string	count	table[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
 1362692527.009721	FakNcS1Jfe01uljb3	192.150.187.43	141.142.228.5	CXWv6p3arKYeMETxOg	HTTP	0	SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	FakNcS1Jfe01uljb3-file
-#close	2013-08-26-18-39-03
+#close	2014-04-01-23-13-35
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
index 27a1f2d2f8..cd314ab408 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2013-08-14-03-46-32
+#open	2014-04-01-23-13-48
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	table[string]
-1376451992.872806	-	-	-	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-1
-#close	2013-08-14-03-46-42
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
+1396394028.821227	-	-	-	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-1
+#close	2014-04-01-23-13-58
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log
index ea57d77b18..c1c81a662b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2013-08-14-03-47-03
+#open	2014-04-01-23-14-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	table[string]
-1376452023.137179	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	source1
-1376452023.137179	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	source1
-#close	2013-08-14-03-47-03
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
+1396394044.377145	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	source1
+1396394044.377145	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	source1
+#close	2014-04-01-23-14-04
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log
index bf9aa50fef..f7d62eb737 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2013-08-14-03-47-23
+#open	2014-04-01-23-14-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	sources
-#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	table[string]
-1376452043.835810	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
-1376452043.835810	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
-1376452044.855238	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
-1376452044.855238	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
-#close	2013-08-14-03-47-32
+#types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	set[string]
+1396394052.512481	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
+1396394052.512481	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
+1396394053.554897	-	-	-	-	-	-	-	-	1.2.3.4	Intel::ADDR	Intel::IN_A_TEST	source1
+1396394053.554897	-	-	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
+#close	2014-04-01-23-14-21
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
index 3ac1f21307..4786a6f8b9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-odd-url/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-18-39-58
+#open	2014-04-01-23-14-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1315799856.264750	CXWv6p3arKYeMETxOg	10.0.1.104	64216	193.40.5.162	80	1	GET	lepo.it.da.ut.ee	/~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf	-	Wget/1.12 (darwin10.8.0)	0	346	404	Not Found	-	-	-	(empty)	-	-	-	-	-	FGNm7b3eXjhJLfvOWl	text/html
-#close	2013-08-26-18-39-58
+#close	2014-04-01-23-14-58
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log
index 25e9319eec..a8208952ef 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-set-separator/test.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2012-07-20-01-49-19
+#open	2014-04-01-23-15-00
 #fields	ss
-#types	table[string]
+#types	set[string]
 CC,AA,\x2c,\x2c\x2c
-#close	2012-07-20-01-49-19
+#close	2014-04-01-23-15-00
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
index 3bf8a78707..a832005c83 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt
@@ -49,7 +49,7 @@
 <!-- orig_ip_bytes : count -->
 <!-- resp_pkts : count -->
 <!-- resp_ip_bytes : count -->
-<!-- tunnel_parents : table[string] -->
+<!-- tunnel_parents : set[string] -->
 
 # Extent, type='conn'
 ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
index a82439c1e0..afb44e36eb 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt
@@ -49,7 +49,7 @@
 <!-- orig_ip_bytes : count -->
 <!-- resp_pkts : count -->
 <!-- resp_ip_bytes : count -->
-<!-- tunnel_parents : table[string] -->
+<!-- tunnel_parents : set[string] -->
 
 # Extent, type='conn'
 ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
index e030dfee42..eec7031ba7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt
@@ -56,10 +56,10 @@
 <!-- info_code : count -->
 <!-- info_msg : string -->
 <!-- filename : string -->
-<!-- tags : table[enum] -->
+<!-- tags : set[enum] -->
 <!-- username : string -->
 <!-- password : string -->
-<!-- proxied : table[string] -->
+<!-- proxied : set[string] -->
 <!-- orig_fuids : vector[string] -->
 <!-- orig_mime_types : vector[string] -->
 <!-- resp_fuids : vector[string] -->
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
index 13364f8e77..d6d56f2449 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
@@ -3,8 +3,8 @@
 #empty_field	EMPTY
 #unset_field	-
 #path	test
-#open	1970-01-01-00-00-00
+#open	2014-04-01-23-15-05
 #fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table[count]	table[string]	table[string]	vector[count]	vector[string]
-T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1342749004.579242	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
-#close	2012-07-20-01-50-05
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1396394104.330474	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY
+#close	2014-04-01-23-15-15
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
index 6b75d056cf..cc7b1beb06 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.types/ssh.log
@@ -3,8 +3,8 @@
 #empty_field	EMPTY
 #unset_field	-
 #path	ssh
-#open	2012-07-20-01-49-22
+#open	2014-04-01-23-15-19
 #fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table[count]	table[string]	table[string]	vector[count]	vector[string]	func
-T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1342748962.114672	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
-#close	2012-07-20-01-49-22
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1396394119.939089	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2014-04-01-23-15-19
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
index 11b742eaa1..0f1c694c8b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.writer-path-conflict/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-19-03-59
+#open	2014-04-01-23-15-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1300475168.784020	CRJuHdVW0XPVINV8a	141.142.220.118	48649	208.80.152.118	80	1	GET	bits.wikimedia.org	/skins-1.5/monobook/main.css	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475168.916018	CJ3xTn1c4Zw9TmAE05	141.142.220.118	49997	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/6/63/Wikipedia-logo.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475168.916183	C7XEbhP654jzLoe3a	141.142.220.118	49996	208.80.152.3	80	1	GET	upload.wikimedia.org	/wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
@@ -20,4 +20,4 @@
 1300475169.014619	CyAhVIzHqb7t7kv28	141.142.220.118	50000	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475169.014593	CzA03V1VcgagLjnO92	141.142.220.118	49999	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
 1300475169.014927	CkDsfG2YIeWJmXWNWj	141.142.220.118	50001	208.80.152.3	80	2	GET	upload.wikimedia.org	/wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png	http://www.wikipedia.org/	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15	0	0	304	Not Modified	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2013-08-26-19-03-59
+#close	2014-04-01-23-15-23
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
index 8f91bce3ae..461bcc9a92 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-07-25-20-02-37
+#open	2014-04-01-23-15-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1374782557.074572	-	-	-	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-07-25-20-02-37
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396394130.996908	-	-	-	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-01-23-15-31
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
index 0374dadc90..275bf725a7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-07-25-20-24-55
+#open	2014-04-01-23-15-42
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1374783895.933003	-	-	-	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-07-25-20-24-58
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396394142.353380	-	-	-	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-01-23-15-45
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
index 075bd7ea0a..03c42d5849 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-07-25-18-56-00
+#open	2014-04-01-23-15-34
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1374778560.016355	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-07-25-18-56-00
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396394134.092329	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-01-23-15-34
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
index 69cdb7bb93..a614267726 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-04-09
+#open	2014-04-01-23-15-49
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562	(empty)
 1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297	(empty)
 1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164	(empty)
 1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164	(empty)
 1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458	(empty)
-#close	2013-08-26-19-04-09
+#close	2014-04-01-23-15-49
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
index c31b1a6328..6ea943b479 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
@@ -3,13 +3,13 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-04-09
+#open	2014-04-01-23-15-51
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1329327783.316897	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	0	ShAdfFa	5	372	4	642	(empty)
 1329327786.524332	CCvvfg3TEfuqmmG4bh	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	0	ShAdfFa	5	372	4	343	(empty)
 1329327787.289095	CsRx2w45OKnoww6xl4	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	0	ShAdfFa	5	372	4	377	(empty)
 1329327795.571921	CRJuHdVW0XPVINV8a	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	0	ShADFaf	5	449	4	300	(empty)
 1329327777.822004	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	0	ShAdDfFa	57	4426	34	5908	(empty)
 1329327800.017649	CPbrpk1qSsw6ESzHV4	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	0	ShADFaf	5	714	4	300	(empty)
-#close	2013-08-26-19-04-09
+#close	2014-04-01-23-15-51
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 423ac86ac0..187f73e3be 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-36-34
+#open	2014-04-01-23-15-53
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1348168976.274919	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	tcp	ssl,ftp,gridftp	0.294743	4491	6659	SF	-	0	ShAdDaFf	22	5643	21	7759	(empty)
 1348168976.546371	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.011938	2135	3196	S1	-	0	ShADad	8	2559	6	3516	(empty)
-#close	2013-08-26-19-36-34
+#close	2014-04-01-23-15-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
index 336f78dc2f..b4ff9e500f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-08-26-19-04-09
+#open	2014-04-01-23-15-53
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
 1348168976.558309	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	-	-	-	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-08-26-19-04-09
+#close	2014-04-01-23-15-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
index 5aec6dfed3..0418b88b69 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.100-continue/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-18-40-15
+#open	2014-04-01-23-15-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1237440095.634312	CXWv6p3arKYeMETxOg	192.168.3.103	54102	128.146.216.51	80	1	POST	www.osu.edu	/	-	curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3	2001	60731	200	OK	100	Continue	-	(empty)	-	-	-	F7Wq2D1IW7Cp2nfZMa	text/plain	FFhC1T3ieHHQqVBLpc	text/html
-#close	2013-08-26-18-40-15
+#close	2014-04-01-23-15-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
index 8b639edd93..1685d9efea 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2014-02-13-03-37-02
+#open	2014-04-01-23-15-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1078232251.833846	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	tcp	http,smtp	6.722274	1685	223	SF	-	0	ShADadfF	14	2257	16	944	(empty)
-#close	2014-02-13-03-37-02
+#close	2014-04-01-23-15-59
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
index 4a2cf1ad17..6fd4a5a937 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-02-13-03-37-02
+#open	2014-04-01-23-15-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1078232252.284420	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	CONNECT	-	mailin03.sul.t-online.de:25 /	-	-	0	0	200	Connection established	-	-	-	(empty)	-	-	-	-	-	-	-
-#close	2014-02-13-03-37-02
+#close	2014-04-01-23-15-59
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
index e11a7e9ac0..27791f873d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/smtp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2014-02-13-03-37-02
+#open	2014-04-01-23-15-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
-#types	time	string	addr	port	addr	port	count	string	string	table[string]	string	string	table[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
 1078232255.642953	CXWv6p3arKYeMETxOg	79.26.245.236	3378	254.228.86.79	8240	1	208.191.73.21	<nhfjenna_neumann@lycos.com>	<thenightwatch@t-online.de>	Tue, 2 Mar 2004 13:57:49 +0100	Sybille Ostermann <nhfjenna_neumann@lycos.com>	thenightwatch@t-online.de	-	-	-	Hier sind die dicken Girls hemmungloser denn je.. grcu	-	from mail.iosphere.net (mail.iosphere.net [216.58.97.33]) by mail.netsync.net with esmtp; Mrz, 02 2004 12:55:34 -0700	-	250 Message accepted.	254.228.86.79,79.26.245.236,216.58.97.33	Microsoft Outlook Build 10.0.2616	FVS9k93PUgScEUCOjd
-#close	2014-02-13-03-37-02
+#close	2014-04-01-23-15-59
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
index dea803676b..8a00755e8d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-18-40-16
+#open	2014-04-01-23-16-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1354328870.191989	CXWv6p3arKYeMETxOg	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	-	-	FKgccv1sOsIPuN3b73	text/html
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FWUdF12OgqGLhf3NPl	text/html
 1354328874.299063	CCvvfg3TEfuqmmG4bh	128.2.6.136	46564	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FE9yCx4wFg8js0ey37	text/html
@@ -55,4 +55,4 @@
 1354328932.692706	CkaPGx2P0Y3W5aHVFk	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-	-
 1354328932.754657	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	F04ZTu63dLSqJQpwa	text/html
 1354328932.796568	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	FVoxfM2o0FqsBuQkDa	text/html
-#close	2013-08-26-18-40-16
+#close	2014-04-01-23-16-03
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
index a9fd14cf34..09cc270c2a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-pipelining/http.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-18-40-16
+#open	2014-04-01-23-16-13
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1258577884.844956	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	1	GET	www.mozilla.org	/style/enhanced.css	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2675	200	OK	-	-	-	(empty)	-	-	-	-	-	Fa7DPI2ItmEOoVqyYj	text/plain
 1258577884.960135	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	2	GET	www.mozilla.org	/script/urchin.js	http://www.mozilla.org/projects/calendar/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	21421	200	OK	-	-	-	(empty)	-	-	-	-	-	FnBh5P1KP0SnMzl3Qj	text/plain
 1258577885.317160	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	3	GET	www.mozilla.org	/images/template/screen/bullet_utility.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	94	200	OK	-	-	-	(empty)	-	-	-	-	-	F2TV5w2Kwn3G7doSk5	image/gif
 1258577885.349639	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	4	GET	www.mozilla.org	/images/template/screen/key-point-top.png	http://www.mozilla.org/style/screen.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	2349	200	OK	-	-	-	(empty)	-	-	-	-	-	F4kk4T3Unyqtkczzue	image/png
 1258577885.394612	CXWv6p3arKYeMETxOg	192.168.1.104	1673	63.245.209.11	80	5	GET	www.mozilla.org	/projects/calendar/images/header-sunbird.png	http://www.mozilla.org/projects/calendar/calendar.css	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5	0	27579	200	OK	-	-	-	(empty)	-	-	-	-	-	FcB26G4nL7jRheOyA8	image/png
-#close	2013-08-26-18-40-16
+#close	2014-04-01-23-16-13
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
index d4eb473905..e3f52e2283 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.multipart-extract/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2013-08-26-18-40-16
+#open	2014-04-01-23-16-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	vector[string]	vector[string]	vector[string]	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1369159408.455878	CXWv6p3arKYeMETxOg	141.142.228.5	57262	54.243.88.146	80	1	POST	httpbin.org	/post	-	curl/7.30.0	370	465	200	OK	-	-	-	(empty)	-	-	-	F2yGNX2vGXLxfZeD12,Fq4rJh2kLHKa8YC1q1,F9sKY71Rb9megdy7sg	-	FjeopJ2lRk9U1CNNb5	text/plain
-#close	2013-08-26-18-40-16
+#close	2014-04-01-23-16-15
diff --git a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
index 540ff8c0ae..0fcd5e98f6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.smtp.basic/smtp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	smtp
-#open	2013-08-26-18-40-24
+#open	2014-04-01-23-16-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	helo	mailfrom	rcptto	date	from	to	reply_to	msg_id	in_reply_to	subject	x_originating_ip	first_received	second_received	last_reply	path	user_agent	fuids
-#types	time	string	addr	port	addr	port	count	string	string	table[string]	string	string	table[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
+#types	time	string	addr	port	addr	port	count	string	string	set[string]	string	string	set[string]	string	string	string	string	addr	string	string	string	vector[addr]	string	vector[string]
 1254722768.219663	CjhGID4nQcgTWjvg4c	10.10.1.4	1470	74.53.140.153	25	1	GP	<gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	Mon, 5 Oct 2009 11:36:07 +0530	"Gurpartap Singh" <gurpartap@patriots.in>	<raj_deol2002in@yahoo.co.in>	-	<000301ca4581$ef9e57f0$cedb07d0$@in>	-	SMTP	-	-	-	250 OK id=1Mugho-0003Dg-Un	74.53.140.153,10.10.1.4	Microsoft Office Outlook 12.0	Fel9gs4OtNEV6gUJZ5,Ft4M3f2yMvLlmwtbq9,FL9Y0d45OI4LpS6fmh
-#close	2013-08-26-18-40-24
+#close	2014-04-01-23-16-17
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
index 54b04aafae..9dcb672b24 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2013-07-25-19-54-45
+#open	2014-04-01-23-16-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1374782085.726121	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1374782085.726121	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2013-07-25-19-54-45
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-01-23-16-19
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log
index af097e5db3..851d9ec7dd 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-all.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	known_services
-#open	2011-06-24-15-51-31
+#open	2014-04-01-23-16-24
 #fields	ts	host	port_num	port_proto	service
-#types	time	addr	port	enum	table[string]
+#types	time	addr	port	enum	set[string]
 1308930691.049431	172.16.238.131	22	tcp	SSH
 1308930694.550308	172.16.238.131	80	tcp	HTTP
 1308930716.462556	74.125.225.81	80	tcp	HTTP
 1308930718.361665	172.16.238.131	21	tcp	FTP
 1308930726.872485	141.142.192.39	22	tcp	SSH
-#close	2011-06-24-15-52-08
+#close	2014-04-01-23-16-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log
index 7c27e63a24..ac271018e2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-local.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	known_services
-#open	2011-06-24-15-51-31
+#open	2014-04-01-23-16-20
 #fields	ts	host	port_num	port_proto	service
-#types	time	addr	port	enum	table[string]
+#types	time	addr	port	enum	set[string]
 1308930691.049431	172.16.238.131	22	tcp	SSH
 1308930694.550308	172.16.238.131	80	tcp	HTTP
 1308930718.361665	172.16.238.131	21	tcp	FTP
-#close	2011-06-24-15-52-08
+#close	2014-04-01-23-16-20
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log
index 77fbe1ef70..54680af4cc 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.known-services/knownservices-remote.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	known_services
-#open	2011-06-24-15-51-56
+#open	2014-04-01-23-16-22
 #fields	ts	host	port_num	port_proto	service
-#types	time	addr	port	enum	table[string]
+#types	time	addr	port	enum	set[string]
 1308930716.462556	74.125.225.81	80	tcp	HTTP
 1308930726.872485	141.142.192.39	22	tcp	SSH
-#close	2011-06-24-15-52-08
+#close	2014-04-01-23-16-23
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
index 2368f95505..218feeb750 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-03-13-21-37-53
+#open	2014-04-01-23-16-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
 1394745603.293028	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
 1394745619.197766	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2014-03-13-21-37-53
+#close	2014-04-01-23-16-27
diff --git a/testing/btest/Baseline/signatures.eval-condition/conn.log b/testing/btest/Baseline/signatures.eval-condition/conn.log
index ded15438b7..cc931ddbb4 100644
--- a/testing/btest/Baseline/signatures.eval-condition/conn.log
+++ b/testing/btest/Baseline/signatures.eval-condition/conn.log
@@ -3,12 +3,12 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2013-08-26-19-04-43
+#open	2014-04-01-23-16-29
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
 1329843175.736107	CjhGID4nQcgTWjvg4c	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	0	ShAdfFa	4	216	4	562	(empty)
 1329843179.871641	CCvvfg3TEfuqmmG4bh	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	0	ShAdfFa	4	216	4	297	(empty)
 1329843194.151526	CsRx2w45OKnoww6xl4	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	0	ShADaFf	5	614	3	164	(empty)
 1329843197.783443	CRJuHdVW0XPVINV8a	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	0	ShADaFf	5	349	3	164	(empty)
 1329843161.968492	CXWv6p3arKYeMETxOg	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	0	ShAdDfFa	38	2164	25	4458	(empty)
-#close	2013-08-26-19-04-43
+#close	2014-04-01-23-16-29

From df1647ee00d5d7e0c08537b023e2251436117814 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 3 Apr 2014 10:49:41 -0400
Subject: [PATCH 144/220] Add a uid field to the signatures.log (contributed by
 Anthony Verez)

 - Addresses BIT-1172
---
 scripts/base/frameworks/signatures/main.bro | 32 ++++++++++++---------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/scripts/base/frameworks/signatures/main.bro b/scripts/base/frameworks/signatures/main.bro
index 8448588120..f293237acc 100644
--- a/scripts/base/frameworks/signatures/main.bro
+++ b/scripts/base/frameworks/signatures/main.bro
@@ -70,6 +70,9 @@ export {
 		## The network time at which a signature matching type of event
 		## to be logged has occurred.
 		ts:         time         &log;
+		## A unique identifier of the connection which triggered the
+		## signature match event
+		uid:        string       &log &optional;
 		## The host which triggered the signature match event.
 		src_addr:   addr         &log &optional;
 		## The host port on which the signature-matching activity
@@ -167,7 +170,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 	# Trim the matched data down to something reasonable
 	if ( |data| > 140 )
 		data = fmt("%s...", sub_bytes(data, 0, 140));
-		
+	
 	local src_addr: addr;
 	local src_port: port;
 	local dst_addr: addr;
@@ -192,6 +195,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 		{
 		local info: Info = [$ts=network_time(),
 		                    $note=Sensitive_Signature,
+		                    $uid=state$conn$uid,
 		                    $src_addr=src_addr,
 		                    $src_port=src_port,
 		                    $dst_addr=dst_addr,
@@ -212,11 +216,11 @@ event signature_match(state: signature_state, msg: string, data: string)
 		if ( ++count_per_resp[dst,sig_id] in count_thresholds )
 			{
 			NOTICE([$note=Count_Signature, $conn=state$conn,
-				   $msg=msg,
-				   $n=count_per_resp[dst,sig_id],
-				   $sub=fmt("%d matches of signature %s on host %s",
-						count_per_resp[dst,sig_id],
-						sig_id, dst)]);
+			        $msg=msg,
+			        $n=count_per_resp[dst,sig_id],
+			        $sub=fmt("%d matches of signature %s on host %s",
+			                 count_per_resp[dst,sig_id],
+			                 sig_id, dst)]);
 			}
 		}
 
@@ -290,16 +294,16 @@ event signature_match(state: signature_state, msg: string, data: string)
 				orig, vcount, resp);
 
 		Log::write(Signatures::LOG, 
-			[$ts=network_time(),
-			 $note=Multiple_Signatures, 
-			 $src_addr=orig,
-			 $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
-			 $event_msg=fmt("%s different signatures triggered", vcount),
-			 $sub_msg=vert_scan_msg]);
+		           [$ts=network_time(),
+		            $note=Multiple_Signatures, 
+		            $src_addr=orig,
+		            $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
+		            $event_msg=fmt("%s different signatures triggered", vcount),
+		            $sub_msg=vert_scan_msg]);
 
 		NOTICE([$note=Multiple_Signatures, $src=orig, $dst=resp,
-			$msg=fmt("%s different signatures triggered", vcount),
-			$n=vcount, $sub=vert_scan_msg]);
+		        $msg=fmt("%s different signatures triggered", vcount),
+		        $n=vcount, $sub=vert_scan_msg]);
 
 		last_vthresh[orig] = vcount;
 		}

From 9438bc166bcebc8ca017f43bf6a6540f9d9c7078 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 3 Apr 2014 13:52:26 -0700
Subject: [PATCH 145/220] change the sumstats table that tracks recent
 intermediate requests back to create interval.

In this instance a read expiry actually makes much less sense.
---
 scripts/base/frameworks/sumstats/cluster.bro | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro
index d4500c755b..67c59a8728 100644
--- a/scripts/base/frameworks/sumstats/cluster.bro
+++ b/scripts/base/frameworks/sumstats/cluster.bro
@@ -62,7 +62,7 @@ export {
 # Add events to the cluster framework to make this work.
 redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|get_result|threshold_crossed)/;
 redef Cluster::manager2worker_events += /SumStats::(get_a_key)/;
-redef Cluster::worker2manager_events += /SumStats::cluster_(ss_response|send_result|key_intermediate_response)/;
+redef Cluster::worker2manager_events += /SumStats::cluster_(send_result|key_intermediate_response)/;
 redef Cluster::worker2manager_events += /SumStats::(send_a_key|send_no_key)/;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
@@ -70,7 +70,7 @@ redef Cluster::worker2manager_events += /SumStats::(send_a_key|send_no_key)/;
 # intermediate updates so they don't overwhelm their manager. The count that is
 # yielded is the number of times the percentage threshold has been crossed and
 # an intermediate result has been received.
-global recent_global_view_keys: table[string, Key] of count &read_expire=1min &default=0;
+global recent_global_view_keys: table[string, Key] of count &create_expire=1min &default=0;
 
 # Result tables indexed on a uid that are currently being sent to the
 # manager.

From 36358461ffc3f3ee42c77c17d3e014276c36f1d7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 3 Apr 2014 15:53:51 -0700
Subject: [PATCH 146/220] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index fe27162849..fb5a7365f8 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit fe271628492b7b837b3fbcf4626061c8b3568589
+Subproject commit fb5a7365f852a294c1d415c0fb5c93b594466cab
diff --git a/aux/bro-aux b/aux/bro-aux
index d7ac87294f..3f86e2d5db 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit d7ac87294f415b5ddf3fc81bcae29815d2f835b1
+Subproject commit 3f86e2d5db2a0c5f2f104b15f359f4b752bb4558
diff --git a/aux/broccoli b/aux/broccoli
index 3138e5068e..04e6a7f591 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 3138e5068eeeb374c39c3d3b05b482b84d1f6e9c
+Subproject commit 04e6a7f591817f060a781f21c12e1afce7eb1e16
diff --git a/aux/broctl b/aux/broctl
index e3ae2640b6..f4b070f857 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e3ae2640b68ad4ce87ec6cdb09d8e6a5d54d2caf
+Subproject commit f4b070f85774d23fa215e6a4fc4f9861b742ee8e

From ffd4711a41ba0e9ea0f8cfd3097aadbe68912eb4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 07:41:08 -0700
Subject: [PATCH 147/220] Throw new event for heartbeat messages.

Not tested.
---
 src/analyzer/protocol/ssl/events.bif       |  2 ++
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 17 +++++++++++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac     |  1 +
 src/analyzer/protocol/ssl/ssl-protocol.pac | 11 +++++++++++
 4 files changed, 31 insertions(+)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 054d9c672f..c85e911ee8 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -138,3 +138,5 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
+
+event ssl_heartbeat%(c: connection, length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..e6ea1628a1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -306,6 +306,10 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
+		if ( ${rec.content_type} == HEARTBEAT )
+			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.length});
+
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
 				orig_label(${rec.is_orig}).c_str(),
@@ -320,6 +324,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_heartbeat(rec : SSLRecord) : bool
+		%{
+		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.length});
+
+		return true;
+		%}
+
 };
 
 refine typeattr ChangeCipherSpec += &let {
@@ -339,6 +352,10 @@ refine typeattr ApplicationData += &let {
 	proc : bool = $context.connection.proc_application_data(rec);
 };
 
+refine typeattr Heartbeat += &let {
+	proc : bool = $context.connection.proc_heartbeat(rec);
+};
+
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index c35fc56e85..23fa7abce5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -12,6 +12,7 @@ enum ContentType {
 	ALERT = 21,
 	HANDSHAKE = 22,
 	APPLICATION_DATA = 23,
+	HEARTBEAT = 24,
 	V2_ERROR = 300,
 	V2_CLIENT_HELLO = 301,
 	V2_CLIENT_MASTER_KEY = 302,
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 9368122eaa..c12130abf8 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -63,6 +63,7 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec(rec);
 	ALERT			-> alert : Alert(rec);
 	HANDSHAKE		-> handshake : Handshake(rec);
+	HEARTBEAT -> heartbeat: Heartbeat(rec);
 	APPLICATION_DATA	-> app_data : ApplicationData(rec);
 	V2_ERROR		-> v2_error : V2Error(rec);
 	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello(rec);
@@ -225,6 +226,16 @@ type ApplicationData(rec: SSLRecord) = record {
 	data : bytestring &restofdata &transient;
 };
 
+######################################################################
+# V3 Heartbeat
+######################################################################
+
+# Heartbeats should basically always be encrypted, so we should not
+# reach this point.
+type Heartbeat(rec: SSLRecord) = record {
+	data : bytestring &restofdata &transient;
+};
+
 ######################################################################
 # Handshake Protocol (7.4.)
 ######################################################################

From 902d52e261069addbf6647537b1a5db9a171f79d Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 08:43:38 -0700
Subject: [PATCH 148/220] add is_orig to heartbeat event

---
 src/analyzer/protocol/ssl/events.bif       | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index c85e911ee8..3f780bdd60 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -139,4 +139,4 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
-event ssl_heartbeat%(c: connection, length: count%);
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index e6ea1628a1..1730ce8ce5 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -308,7 +308,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ${rec.content_type} == HEARTBEAT )
 			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-				bro_analyzer()->Conn(), ${rec.length});
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
@@ -328,7 +328,7 @@ refine connection SSL_Conn += {
 	function proc_heartbeat(rec : SSLRecord) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		return true;
 		%}

From 018735a5744d8a82bbd7cee48fd828b4018d257f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 09:49:00 -0700
Subject: [PATCH 149/220] default to TLS when not being able to determine
 version

---
 src/analyzer/protocol/ssl/ssl-protocol.pac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index c12130abf8..944f081060 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -39,13 +39,13 @@ type SSLRecord(is_orig: bool) = record {
 		$context.connection.determine_ssl_version(head0, head1, head2);
 
 	content_type : int = case version of {
-		UNKNOWN_VERSION -> 0;
+		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> head2+300;
 		default -> head0;
 	};
 
 	length : int = case version of {
-		UNKNOWN_VERSION -> 0;
+		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
 	};

From 335a30b08f10ecc6243182d71f786ac104f31897 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:03:12 -0700
Subject: [PATCH 150/220] detect and alert on simple case of heartbleed

---
 scripts/policy/protocols/ssl/heartbleed.bro | 44 +++++++++++++++++++++
 src/analyzer/protocol/ssl/events.bif        |  4 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac  |  8 ++--
 src/analyzer/protocol/ssl/ssl-protocol.pac  |  4 +-
 4 files changed, 53 insertions(+), 7 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/heartbleed.bro

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
new file mode 100644
index 0000000000..b3f81034b0
--- /dev/null
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -0,0 +1,44 @@
+module Heartbleed;
+
+redef record SSL::Info += {
+#	last_originator_heartbeat_request_size: count &optional;
+#	originator_heartbeats: count &default=0;
+#	responder_heartbeats: count &default=0;
+  heartbleed_detected: bool &default=F;
+	};
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a host performing a heartbleed attack.
+		SSL_Heartbeat_Attack,
+    ## Indicates that a host performing a heartbleed attack was probably successful.
+    SSL_Heartbeat_Attack_Success,
+  };
+}
+
+event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
+  {
+  if ( heartbeat_type == 1 )
+    {
+
+    local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
+
+
+    if ( payload_length > checklength )
+      {
+      c$ssl$heartbleed_detected = T;
+      NOTICE([$note=SSL_Heartbeat_Attack,
+        $msg="An TLS heartbleed attack was detected!",
+        $conn=c
+        ]);
+      }
+    }
+
+  if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
+    {
+      NOTICE([$note=SSL_Heartbeat_Attack_Success,
+        $msg="An TLS heartbleed attack was detected and probably exploited",
+        $conn=c
+        ]);
+    }
+  }
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 3f780bdd60..e720089f45 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -139,4 +139,6 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count%);
+event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
+
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 1730ce8ce5..d0ac88a5a1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -307,7 +307,7 @@ refine connection SSL_Conn += {
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
 		if ( ${rec.content_type} == HEARTBEAT )
-			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			BifEvent::generate_ssl_encrypted_heartbeat(bro_analyzer(),
 				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 
 		if ( state_ == STATE_TRACK_LOST )
@@ -325,10 +325,10 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_heartbeat(rec : SSLRecord) : bool
+	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length);
 
 		return true;
 		%}
@@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
 };
 
 refine typeattr Heartbeat += &let {
-	proc : bool = $context.connection.proc_heartbeat(rec);
+	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length);
 };
 
 refine typeattr ClientHello += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 944f081060..acded2dbf9 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -230,9 +230,9 @@ type ApplicationData(rec: SSLRecord) = record {
 # V3 Heartbeat
 ######################################################################
 
-# Heartbeats should basically always be encrypted, so we should not
-# reach this point.
 type Heartbeat(rec: SSLRecord) = record {
+  type : uint8;
+  payload_length : uint16;
 	data : bytestring &restofdata &transient;
 };
 

From c41810a33780b1263f2e8a1b6939d398a267fa0f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:19:30 -0700
Subject: [PATCH 151/220] polish script and probably detect encrypted attacks
 too.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 65 +++++++++++++++++++--
 1 file changed, 60 insertions(+), 5 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index b3f81034b0..c9a9622e2c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,9 +1,11 @@
 module Heartbleed;
 
 redef record SSL::Info += {
-#	last_originator_heartbeat_request_size: count &optional;
-#	originator_heartbeats: count &default=0;
-#	responder_heartbeats: count &default=0;
+	last_originator_heartbeat_request_size: count &optional;
+	last_responder_heartbeat_request_size: count &optional;
+	originator_heartbeats: count &default=0;
+	responder_heartbeats: count &default=0;
+
   heartbleed_detected: bool &default=F;
 	};
 
@@ -11,8 +13,14 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-    ## Indicates that a host performing a heartbleed attack was probably successful.
+    ## Indicates that a host performing a heartbleed attack was successful.
     SSL_Heartbeat_Attack_Success,
+    ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
+    SSL_Heartbeat_Encrypted_Attack_Success,
+    ## Indicates we saw heartbeet requests with odd length. Probably an attack.
+    SSL_Heartbeat_Odd_Length,
+    ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+    SSL_Heartbeat_Many_Requests
   };
 }
 
@@ -20,7 +28,6 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
   {
   if ( heartbeat_type == 1 )
     {
-
     local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
 
@@ -42,3 +49,51 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
         ]);
     }
   }
+
+event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
+  {
+  if ( is_orig )
+    ++c$ssl$originator_heartbeats;
+  else
+    ++c$ssl$responder_heartbeats;
+
+  if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
+      NOTICE([$note=SSL_Heartbeat_Many_Requests,
+        $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+        $conn=c
+        ]);
+
+  if ( is_orig && length < 19 )
+      NOTICE([$note=SSL_Heartbeat_Odd_Length,
+        $msg="Heartbeat message smaller than minimum length. Probable attack.",
+        $conn=c
+        ]);
+
+  if ( is_orig )
+    {
+    if ( c$ssl?$last_responder_heartbeat_request_size )
+      {
+      # server originated heartbeat. Ignore & continue
+      delete c$ssl$last_responder_heartbeat_request_size;
+      }
+    else
+      c$ssl$last_originator_heartbeat_request_size = length;
+    }
+  else
+    {
+    if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+      {
+      NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
+        $msg="An Encrypted TLS heartbleed attack was probably detected!",
+        $conn=c
+        ]);
+      }
+    else if ( ! c$ssl?$last_originator_heartbeat_request_size )
+      {
+      c$ssl$last_responder_heartbeat_request_size = length;
+      }
+
+    if ( c$ssl?$last_originator_heartbeat_request_size )
+      delete c$ssl$last_originator_heartbeat_request_size;
+    }
+  }

From 4d33bdbb1ebe531a238803ef612395d8a39fc6e8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:28:13 -0700
Subject: [PATCH 152/220] fix tabs.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 146 ++++++++++----------
 1 file changed, 73 insertions(+), 73 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index c9a9622e2c..7089758e93 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -6,94 +6,94 @@ redef record SSL::Info += {
 	originator_heartbeats: count &default=0;
 	responder_heartbeats: count &default=0;
 
-  heartbleed_detected: bool &default=F;
+	heartbleed_detected: bool &default=F;
 	};
 
 export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-    ## Indicates that a host performing a heartbleed attack was successful.
-    SSL_Heartbeat_Attack_Success,
-    ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
-    SSL_Heartbeat_Encrypted_Attack_Success,
-    ## Indicates we saw heartbeet requests with odd length. Probably an attack.
-    SSL_Heartbeat_Odd_Length,
-    ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
-    SSL_Heartbeat_Many_Requests
-  };
+		## Indicates that a host performing a heartbleed attack was successful.
+		SSL_Heartbeat_Attack_Success,
+		## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
+		SSL_Heartbeat_Encrypted_Attack_Success,
+		## Indicates we saw heartbeet requests with odd length. Probably an attack.
+		SSL_Heartbeat_Odd_Length,
+		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+		SSL_Heartbeat_Many_Requests
+	};
 }
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
-  {
-  if ( heartbeat_type == 1 )
-    {
-    local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
+	{
+	if ( heartbeat_type == 1 )
+		{
+		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
 
-    if ( payload_length > checklength )
-      {
-      c$ssl$heartbleed_detected = T;
-      NOTICE([$note=SSL_Heartbeat_Attack,
-        $msg="An TLS heartbleed attack was detected!",
-        $conn=c
-        ]);
-      }
-    }
+		if ( payload_length > checklength )
+			{
+			c$ssl$heartbleed_detected = T;
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg="An TLS heartbleed attack was detected!",
+				$conn=c
+				]);
+			}
+		}
 
-  if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
-    {
-      NOTICE([$note=SSL_Heartbeat_Attack_Success,
-        $msg="An TLS heartbleed attack was detected and probably exploited",
-        $conn=c
-        ]);
-    }
-  }
+	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
+		{
+			NOTICE([$note=SSL_Heartbeat_Attack_Success,
+				$msg="An TLS heartbleed attack was detected and probably exploited",
+				$conn=c
+				]);
+		}
+	}
 
 event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
-  {
-  if ( is_orig )
-    ++c$ssl$originator_heartbeats;
-  else
-    ++c$ssl$responder_heartbeats;
+	{
+	if ( is_orig )
+		++c$ssl$originator_heartbeats;
+	else
+		++c$ssl$responder_heartbeats;
 
-  if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
-      NOTICE([$note=SSL_Heartbeat_Many_Requests,
-        $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
-        $conn=c
-        ]);
+	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
+			NOTICE([$note=SSL_Heartbeat_Many_Requests,
+				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+				$conn=c
+				]);
 
-  if ( is_orig && length < 19 )
-      NOTICE([$note=SSL_Heartbeat_Odd_Length,
-        $msg="Heartbeat message smaller than minimum length. Probable attack.",
-        $conn=c
-        ]);
+	if ( is_orig && length < 19 )
+			NOTICE([$note=SSL_Heartbeat_Odd_Length,
+				$msg="Heartbeat message smaller than minimum length. Probable attack.",
+				$conn=c
+				]);
 
-  if ( is_orig )
-    {
-    if ( c$ssl?$last_responder_heartbeat_request_size )
-      {
-      # server originated heartbeat. Ignore & continue
-      delete c$ssl$last_responder_heartbeat_request_size;
-      }
-    else
-      c$ssl$last_originator_heartbeat_request_size = length;
-    }
-  else
-    {
-    if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
-      {
-      NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
-        $msg="An Encrypted TLS heartbleed attack was probably detected!",
-        $conn=c
-        ]);
-      }
-    else if ( ! c$ssl?$last_originator_heartbeat_request_size )
-      {
-      c$ssl$last_responder_heartbeat_request_size = length;
-      }
+	if ( is_orig )
+		{
+		if ( c$ssl?$last_responder_heartbeat_request_size )
+			{
+			# server originated heartbeat. Ignore & continue
+			delete c$ssl$last_responder_heartbeat_request_size;
+			}
+		else
+			c$ssl$last_originator_heartbeat_request_size = length;
+		}
+	else
+		{
+		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+			{
+			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
+				$msg="An Encrypted TLS heartbleed attack was probably detected!",
+				$conn=c
+				]);
+			}
+		else if ( ! c$ssl?$last_originator_heartbeat_request_size )
+			{
+			c$ssl$last_responder_heartbeat_request_size = length;
+			}
 
-    if ( c$ssl?$last_originator_heartbeat_request_size )
-      delete c$ssl$last_originator_heartbeat_request_size;
-    }
-  }
+		if ( c$ssl?$last_originator_heartbeat_request_size )
+			delete c$ssl$last_originator_heartbeat_request_size;
+		}
+	}

From cb87f834f9360aae450f778b0a9b49cee4102a4e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:40:48 -0700
Subject: [PATCH 153/220] make tls heartbeat messages a bit better.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 7089758e93..0e5abc7ab3 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -30,12 +30,11 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		{
 		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
-
 		if ( payload_length > checklength )
 			{
 			c$ssl$heartbleed_detected = T;
 			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg="An TLS heartbleed attack was detected!",
+				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
 				$conn=c
 				]);
 			}
@@ -60,13 +59,15 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
 				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
-				$conn=c
+				$conn=c,
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats)
 				]);
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
 				$msg="Heartbeat message smaller than minimum length. Probable attack.",
-				$conn=c
+				$conn=c,
+				$n=length
 				]);
 
 	if ( is_orig )

From f2c2da92c6505a2a979051e553ff4043f1317a0e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:53:01 -0700
Subject: [PATCH 154/220] add to local.bro, add disclaimer

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 ++
 scripts/site/local.bro                      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 0e5abc7ab3..d66ff4df2a 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,5 +1,7 @@
 module Heartbleed;
 
+# Please note - this is not well tested. Use at your own risk.
+
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
 	last_responder_heartbeat_request_size: count &optional;
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index e1a3574424..bb2cc73a53 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,3 +81,5 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
+# Load heartbleed detection. Only superficially tested, might contain bugs.
+@load policy/protocols/ssl/heartbleed

From 2942a26280866c5ecad13ce8d7a63a706dc9e1af Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 12:44:51 -0700
Subject: [PATCH 155/220] also extract payload data in ssl_heartbeat

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 +-
 src/analyzer/protocol/ssl/events.bif        | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac  | 8 ++++----
 src/analyzer/protocol/ssl/ssl-protocol.pac  | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index d66ff4df2a..19728b1d0c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -26,7 +26,7 @@ export {
 	};
 }
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
+event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	if ( heartbeat_type == 1 )
 		{
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index e720089f45..a11e7bcc68 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -141,4 +141,4 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%);
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index d0ac88a5a1..29240161d1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -325,11 +325,11 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool
+	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length);
-
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
+			new StringVal(data.length(), (const char*) data.data()));
 		return true;
 		%}
 
@@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
 };
 
 refine typeattr Heartbeat += &let {
-	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length);
+	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
 };
 
 refine typeattr ClientHello += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index acded2dbf9..f8645410dc 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -233,7 +233,7 @@ type ApplicationData(rec: SSLRecord) = record {
 type Heartbeat(rec: SSLRecord) = record {
   type : uint8;
   payload_length : uint16;
-	data : bytestring &restofdata &transient;
+	data : bytestring &restofdata;
 };
 
 ######################################################################

From 285ef548ffd71fcc051201c4aaec104429c27880 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 8 Apr 2014 15:47:11 -0700
Subject: [PATCH 156/220] Updating test baselines.

---
 .../canonified_loaded_scripts.log                           | 6 +++---
 .../canonified_loaded_scripts.log                           | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 2ffb0607b6..c25c854779 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-04-01-19-07-42
+#open	2014-04-08-22-38-18
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -48,10 +48,10 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
@@ -106,4 +106,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/broxygen.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2014-04-01-19-07-42
+#close	2014-04-08-22-38-18
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 561e443bbf..488b74e111 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2014-04-01-19-07-49
+#open	2014-04-08-22-38-27
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -48,10 +48,10 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RPC.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SMTP.functions.bif.bro
-    build/scripts/base/bif/plugins/Bro_SNMP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SOCKS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSH.events.bif.bro
     build/scripts/base/bif/plugins/Bro_SSL.events.bif.bro
@@ -232,4 +232,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2014-04-01-19-07-49
+#close	2014-04-08-22-38-27

From 2414aaf4bb9e1a9ba9aafbf748f2905311f8cd8e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 21:57:37 -0700
Subject: [PATCH 157/220] enable detection of encrypted heartbleeds.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 +-
 src/analyzer/protocol/ssl/ssl-protocol.pac  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 19728b1d0c..0049c4c51f 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -84,7 +84,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		}
 	else
 		{
-		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
 			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
 				$msg="An Encrypted TLS heartbleed attack was probably detected!",
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f8645410dc..b8e5c9f624 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -52,7 +52,7 @@ type SSLRecord(is_orig: bool) = record {
 };
 
 type RecordText(rec: SSLRecord) = case $context.connection.state() of {
-	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
+	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED, STATE_CLIENT_FINISHED,
 	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
 		-> ciphertext : CiphertextRecord(rec);
 	default

From 2b3c2bd3940cd6883dc188abbc7aa5372cae7278 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 13:03:24 -0500
Subject: [PATCH 158/220] Fix reassembly of data w/ sizes beyond 32-bit
 capacities (BIT-348).

The main change is that reassembly code (e.g. for TCP) now uses
int64/uint64 (signedness is situational) data types in place of int
types in order to support delivering data to analyzers that pass 2GB
thresholds.  There's also changes in logic that accompany the change in
data types, e.g. to fix TCP sequence space arithmetic inconsistencies.

Another significant change is in the Analyzer API: the *Packet and
*Undelivered methods now use a uint64 in place of an int for the
relative sequence space offset parameter.
---
 src/Frag.cc                                   |   12 +-
 src/Frag.h                                    |    6 +-
 src/Reassem.cc                                |   88 +-
 src/Reassem.h                                 |   32 +-
 src/Stats.cc                                  |    2 +-
 src/analyzer/Analyzer.cc                      |   20 +-
 src/analyzer/Analyzer.h                       |   20 +-
 src/analyzer/protocol/ayiya/AYIYA.cc          |    2 +-
 src/analyzer/protocol/ayiya/AYIYA.h           |    2 +-
 src/analyzer/protocol/backdoor/BackDoor.cc    |   41 +-
 src/analyzer/protocol/backdoor/BackDoor.h     |   34 +-
 .../protocol/bittorrent/BitTorrent.cc         |    2 +-
 src/analyzer/protocol/bittorrent/BitTorrent.h |    2 +-
 .../protocol/bittorrent/BitTorrentTracker.cc  |    2 +-
 .../protocol/bittorrent/BitTorrentTracker.h   |    2 +-
 src/analyzer/protocol/conn-size/ConnSize.cc   |    2 +-
 src/analyzer/protocol/conn-size/ConnSize.h    |    2 +-
 src/analyzer/protocol/dhcp/DHCP.cc            |    2 +-
 src/analyzer/protocol/dhcp/DHCP.h             |    2 +-
 src/analyzer/protocol/dnp3/DNP3.cc            |    2 +-
 src/analyzer/protocol/dnp3/DNP3.h             |    2 +-
 src/analyzer/protocol/dns/DNS.cc              |    2 +-
 src/analyzer/protocol/dns/DNS.h               |    2 +-
 src/analyzer/protocol/file/File.cc            |   10 +-
 src/analyzer/protocol/file/File.h             |    6 +-
 src/analyzer/protocol/gtpv1/GTPv1.cc          |    2 +-
 src/analyzer/protocol/gtpv1/GTPv1.h           |    2 +-
 src/analyzer/protocol/http/HTTP.cc            |    6 +-
 src/analyzer/protocol/http/HTTP.h             |    4 +-
 src/analyzer/protocol/icmp/ICMP.cc            |    2 +-
 src/analyzer/protocol/icmp/ICMP.h             |    2 +-
 src/analyzer/protocol/interconn/InterConn.cc  |   10 +-
 src/analyzer/protocol/interconn/InterConn.h   |    6 +-
 src/analyzer/protocol/modbus/Modbus.cc        |    2 +-
 src/analyzer/protocol/modbus/Modbus.h         |    2 +-
 src/analyzer/protocol/ncp/NCP.cc              |    2 +-
 src/analyzer/protocol/ncp/NCP.h               |    2 +-
 src/analyzer/protocol/netbios/NetbiosSSN.cc   |    2 +-
 src/analyzer/protocol/netbios/NetbiosSSN.h    |    2 +-
 src/analyzer/protocol/ntp/NTP.cc              |    2 +-
 src/analyzer/protocol/ntp/NTP.h               |    2 +-
 src/analyzer/protocol/pia/PIA.cc              |   10 +-
 src/analyzer/protocol/pia/PIA.h               |   12 +-
 src/analyzer/protocol/rpc/RPC.cc              |    4 +-
 src/analyzer/protocol/rpc/RPC.h               |    4 +-
 src/analyzer/protocol/smtp/SMTP.cc            |    4 +-
 src/analyzer/protocol/smtp/SMTP.h             |    2 +-
 src/analyzer/protocol/socks/SOCKS.cc          |    2 +-
 src/analyzer/protocol/socks/SOCKS.h           |    2 +-
 src/analyzer/protocol/ssl/SSL.cc              |    2 +-
 src/analyzer/protocol/ssl/SSL.h               |    2 +-
 .../protocol/stepping-stone/SteppingStone.cc  |    8 +-
 .../protocol/stepping-stone/SteppingStone.h   |    6 +-
 src/analyzer/protocol/syslog/Syslog.cc        |    4 +-
 src/analyzer/protocol/syslog/Syslog.h         |    4 +-
 src/analyzer/protocol/tcp/ContentLine.cc      |    2 +-
 src/analyzer/protocol/tcp/ContentLine.h       |   12 +-
 src/analyzer/protocol/tcp/TCP.cc              | 2234 +++++++++--------
 src/analyzer/protocol/tcp/TCP.h               |   84 +-
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     |   29 +-
 src/analyzer/protocol/tcp/TCP_Endpoint.h      |   98 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  163 +-
 src/analyzer/protocol/tcp/TCP_Reassembler.h   |   49 +-
 src/analyzer/protocol/tcp/events.bif          |    5 +-
 src/analyzer/protocol/teredo/Teredo.cc        |    2 +-
 src/analyzer/protocol/teredo/Teredo.h         |    2 +-
 src/analyzer/protocol/udp/UDP.cc              |    2 +-
 src/analyzer/protocol/udp/UDP.h               |    2 +-
 src/net_util.h                                |    6 +-
 .../core.tcp.large-file-reassembly/conn.log   |   12 +
 .../core.tcp.large-file-reassembly/files.log  |   11 +
 .../core.tcp.large-file-reassembly/out        |   11 +
 .../weird.log                                 |    6 +-
 testing/btest/Traces/ftp/bigtransfer.pcap     |  Bin 0 -> 32127 bytes
 .../btest/core/tcp/large-file-reassembly.bro  |   22 +
 75 files changed, 1627 insertions(+), 1540 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
 create mode 100644 testing/btest/Baseline/core.tcp.large-file-reassembly/out
 create mode 100644 testing/btest/Traces/ftp/bigtransfer.pcap
 create mode 100644 testing/btest/core/tcp/large-file-reassembly.bro

diff --git a/src/Frag.cc b/src/Frag.cc
index 30bec88af1..d0389c264a 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -97,9 +97,9 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 		// Linux MTU discovery for UDP can do this, for example.
 		s->Weird("fragment_with_DF", ip);
 
-	int offset = ip->FragOffset();
-	int len = ip->TotalLen();
-	int hdr_len = ip->HdrLen();
+	uint16 offset = ip->FragOffset();
+	uint32 len = ip->TotalLen();
+	uint16 hdr_len = ip->HdrLen();
 
 	if ( len < hdr_len )
 		{
@@ -107,7 +107,7 @@ void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt)
 		return;
 		}
 
-	int upper_seq = offset + len - hdr_len;
+	uint64 upper_seq = offset + len - hdr_len;
 
 	if ( ! offset )
 		// Make sure to use the first fragment header's next field.
@@ -178,7 +178,7 @@ void FragReassembler::Weird(const char* name) const
 		}
 	}
 
-void FragReassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+void FragReassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 	{
 	if ( memcmp((const void*) b1, (const void*) b2, n) )
 		Weird("fragment_inconsistency");
@@ -231,7 +231,7 @@ void FragReassembler::BlockInserted(DataBlock* /* start_block */)
 		return;
 
 	// We have it all.  Compute the expected size of the fragment.
-	int n = proto_hdr_len + frag_size;
+	uint64 n = proto_hdr_len + frag_size;
 
 	// It's possible that we have blocks associated with this fragment
 	// that exceed this size, if we saw MF fragments (which don't lead
diff --git a/src/Frag.h b/src/Frag.h
index 0d2fbed5b3..7f3a0eec02 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -34,14 +34,14 @@ public:
 
 protected:
 	void BlockInserted(DataBlock* start_block);
-	void Overlap(const u_char* b1, const u_char* b2, int n);
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
 	void Weird(const char* name) const;
 
 	u_char* proto_hdr;
 	IP_Hdr* reassembled_pkt;
-	int proto_hdr_len;
+	uint16 proto_hdr_len;
 	NetSessions* s;
-	int frag_size;	// size of fully reassembled fragment
+	uint64 frag_size;	// size of fully reassembled fragment
 	uint16 next_proto; // first IPv6 fragment header's next proto field
 	HashKey* key;
 
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 19beaa0a16..27fb26561f 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -7,14 +7,9 @@
 #include "Reassem.h"
 #include "Serializer.h"
 
-const bool DEBUG_reassem = false;
+static const bool DEBUG_reassem = false;
 
-#ifdef DEBUG
-int reassem_seen_bytes = 0;
-int reassem_copied_bytes = 0;
-#endif
-
-DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
+DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
 			DataBlock* arg_prev, DataBlock* arg_next)
 	{
 	seq = arg_seq;
@@ -23,10 +18,6 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
 
 	memcpy((void*) block, (const void*) data, size);
 
-#ifdef DEBUG
-	reassem_copied_bytes += size;
-#endif
-
 	prev = arg_prev;
 	next = arg_next;
 
@@ -38,9 +29,9 @@ DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
 	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
 	}
 
-unsigned int Reassembler::total_size = 0;
+uint64 Reassembler::total_size = 0;
 
-Reassembler::Reassembler(int init_seq, ReassemblerType arg_type)
+Reassembler::Reassembler(uint64 init_seq, ReassemblerType arg_type)
 	{
 	blocks = last_block = 0;
 	trim_seq = last_reassem_seq = init_seq;
@@ -51,24 +42,20 @@ Reassembler::~Reassembler()
 	ClearBlocks();
 	}
 
-void Reassembler::NewBlock(double t, int seq, int len, const u_char* data)
+void Reassembler::NewBlock(double t, uint64 seq, uint64 len, const u_char* data)
 	{
 	if ( len == 0 )
 		return;
 
-#ifdef DEBUG
-	reassem_seen_bytes += len;
-#endif
+	uint64 upper_seq = seq + len;
 
-	int upper_seq = seq + len;
-
-	if ( seq_delta(upper_seq, trim_seq) <= 0 )
+	if ( upper_seq <= trim_seq )
 		// Old data, don't do any work for it.
 		return;
 
-	if ( seq_delta(seq, trim_seq) < 0 )
+	if ( seq < trim_seq )
 		{ // Partially old data, just keep the good stuff.
-		int amount_old = seq_delta(trim_seq, seq);
+		uint64 amount_old = trim_seq - seq;
 
 		data += amount_old;
 		seq += amount_old;
@@ -86,42 +73,42 @@ void Reassembler::NewBlock(double t, int seq, int len, const u_char* data)
 	BlockInserted(start_block);
 	}
 
-int Reassembler::TrimToSeq(int seq)
+uint64 Reassembler::TrimToSeq(uint64 seq)
 	{
-	int num_missing = 0;
+	uint64 num_missing = 0;
 
 	// Do this accounting before looking for Undelivered data,
 	// since that will alter last_reassem_seq.
 
 	if ( blocks )
 		{
-		if ( seq_delta(blocks->seq, last_reassem_seq) > 0 )
+		if ( blocks->seq > last_reassem_seq )
 			// An initial hole.
-			num_missing += seq_delta(blocks->seq, last_reassem_seq);
+			num_missing += blocks->seq - last_reassem_seq;
 		}
 
-	else if ( seq_delta(seq, last_reassem_seq) > 0 )
+	else if ( seq > last_reassem_seq )
 		{ // Trimming data we never delivered.
 		if ( ! blocks )
 			// We won't have any accounting based on blocks
 			// for this hole.
-			num_missing += seq_delta(seq, last_reassem_seq);
+			num_missing += seq - last_reassem_seq;
 		}
 
-	if ( seq_delta(seq, last_reassem_seq) > 0 )
+	if ( seq > last_reassem_seq )
 		{
 		// We're trimming data we never delivered.
 		Undelivered(seq);
 		}
 
-	while ( blocks && seq_delta(blocks->upper, seq) <= 0 )
+	while ( blocks && blocks->upper <= seq )
 		{
 		DataBlock* b = blocks->next;
 
-		if ( b && seq_delta(b->seq, seq) <= 0 )
+		if ( b && b->seq <= seq )
 			{
 			if ( blocks->upper != b->seq )
-				num_missing += seq_delta(b->seq, blocks->upper);
+				num_missing += b->seq - blocks->upper;
 			}
 		else
 			{
@@ -129,7 +116,7 @@ int Reassembler::TrimToSeq(int seq)
 			// Second half of test is for acks of FINs, which
 			// don't get entered into the sequence space.
 			if ( blocks->upper != seq && blocks->upper != seq - 1 )
-				num_missing += seq_delta(seq, blocks->upper);
+				num_missing += seq - blocks->upper;
 			}
 
 		delete blocks;
@@ -150,7 +137,7 @@ int Reassembler::TrimToSeq(int seq)
 	else
 		last_block = 0;
 
-	if ( seq_delta(seq, trim_seq) > 0 )
+	if ( seq > trim_seq )
 		// seq is further ahead in the sequence space.
 		trim_seq = seq;
 
@@ -169,9 +156,9 @@ void Reassembler::ClearBlocks()
 	last_block = 0;
 	}
 
-int Reassembler::TotalSize() const
+uint64 Reassembler::TotalSize() const
 	{
-	int size = 0;
+	uint64 size = 0;
 
 	for ( DataBlock* b = blocks; b; b = b->next )
 		size += b->Size();
@@ -184,18 +171,18 @@ void Reassembler::Describe(ODesc* d) const
 	d->Add("reassembler");
 	}
 
-void Reassembler::Undelivered(int up_to_seq)
+void Reassembler::Undelivered(uint64 up_to_seq)
 	{
 	// TrimToSeq() expects this.
 	last_reassem_seq = up_to_seq;
 	}
 
-DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
+DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 					const u_char* data)
 	{
 	if ( DEBUG_reassem )
 		{
-		DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%d, upper=%d\n",
+		DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%"PRIu64", upper=%"PRIu64"\n",
 		          network_time, seq, upper);
 		}
 
@@ -209,10 +196,10 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 
 	// Find the first block that doesn't come completely before the
 	// new data.
-	while ( b->next && seq_delta(b->upper, seq) <= 0 )
+	while ( b->next && b->upper <= seq )
 		b = b->next;
 
-	if ( seq_delta(b->upper, seq) <= 0 )
+	if ( b->upper <= seq )
 		{
 		// b is the last block, and it comes completely before
 		// the new block.
@@ -222,21 +209,20 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 
 	DataBlock* new_b = 0;
 
-	if ( seq_delta(upper, b->seq) <= 0 )
+	if ( upper <= b->seq )
 		{
 		// The new block comes completely before b.
-		new_b = new DataBlock(data, seq_delta(upper, seq), seq,
-					b->prev, b);
+		new_b = new DataBlock(data, upper - seq, seq, b->prev, b);
 		if ( b == blocks )
 			blocks = new_b;
 		return new_b;
 		}
 
 	// The blocks overlap, complain.
-	if ( seq_delta(seq, b->seq) < 0 )
+	if ( seq < b->seq )
 		{
 		// The new block has a prefix that comes before b.
-		int prefix_len = seq_delta(b->seq, seq);
+		uint64 prefix_len = b->seq - seq;
 		new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
 		if ( b == blocks )
 			blocks = new_b;
@@ -247,11 +233,11 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
 	else
 		new_b = b;
 
-	int overlap_start = seq;
-	int overlap_offset = seq_delta(overlap_start, b->seq);
-	int new_b_len = seq_delta(upper, seq);
-	int b_len = seq_delta(b->upper, overlap_start);
-	int overlap_len = min(new_b_len, b_len);
+	uint64 overlap_start = seq;
+	uint64 overlap_offset = overlap_start - b->seq;
+	uint64 new_b_len = upper - seq;
+	uint64 b_len = b->upper - overlap_start;
+	uint64 overlap_len = min(new_b_len, b_len);
 
 	Overlap(&b->block[overlap_offset], data, overlap_len);
 
diff --git a/src/Reassem.h b/src/Reassem.h
index 1f65059e02..7b77a628d8 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -8,16 +8,16 @@
 
 class DataBlock {
 public:
-	DataBlock(const u_char* data, int size, int seq,
+	DataBlock(const u_char* data, uint64 size, uint64 seq,
 			DataBlock* prev, DataBlock* next);
 
 	~DataBlock();
 
-	int Size() const	{ return upper - seq; }
+	uint64 Size() const	{ return upper - seq; }
 
 	DataBlock* next;	// next block with higher seq #
 	DataBlock* prev;	// previous block with lower seq #
-	int seq, upper;
+	uint64 seq, upper;
 	u_char* block;
 };
 
@@ -26,22 +26,22 @@ enum ReassemblerType { REASSEM_IP, REASSEM_TCP };
 
 class Reassembler : public BroObj {
 public:
-	Reassembler(int init_seq, ReassemblerType arg_type);
+	Reassembler(uint64 init_seq, ReassemblerType arg_type);
 	virtual ~Reassembler();
 
-	void NewBlock(double t, int seq, int len, const u_char* data);
+	void NewBlock(double t, uint64 seq, uint64 len, const u_char* data);
 
 	// Throws away all blocks up to seq.  Returns number of bytes
 	// if not all in-sequence, 0 if they were.
-	int TrimToSeq(int seq);
+	uint64 TrimToSeq(uint64 seq);
 
 	// Delete all held blocks.
 	void ClearBlocks();
 
 	int HasBlocks() const		{ return blocks != 0; }
-	int LastReassemSeq() const	{ return last_reassem_seq; }
+	uint64 LastReassemSeq() const	{ return last_reassem_seq; }
 
-	int TotalSize() const;	// number of bytes buffered up
+	uint64 TotalSize() const;	// number of bytes buffered up
 
 	void Describe(ODesc* d) const;
 
@@ -49,7 +49,7 @@ public:
 	static Reassembler* Unserialize(UnserialInfo* info);
 
 	// Sum over all data buffered in some reassembler.
-	static unsigned int TotalMemoryAllocation()	{ return total_size; }
+	static uint64 TotalMemoryAllocation()	{ return total_size; }
 
 protected:
 	Reassembler()	{ }
@@ -58,20 +58,20 @@ protected:
 
 	friend class DataBlock;
 
-	virtual void Undelivered(int up_to_seq);
+	virtual void Undelivered(uint64 up_to_seq);
 
 	virtual void BlockInserted(DataBlock* b) = 0;
-	virtual void Overlap(const u_char* b1, const u_char* b2, int n) = 0;
+	virtual void Overlap(const u_char* b1, const u_char* b2, uint64 n) = 0;
 
-	DataBlock* AddAndCheck(DataBlock* b, int seq,
-				int upper, const u_char* data);
+	DataBlock* AddAndCheck(DataBlock* b, uint64 seq,
+				uint64 upper, const u_char* data);
 
 	DataBlock* blocks;
 	DataBlock* last_block;
-	int last_reassem_seq;
-	int trim_seq;	// how far we've trimmed
+	uint64 last_reassem_seq;
+	uint64 trim_seq;	// how far we've trimmed
 
-	static unsigned int total_size;
+	static uint64 total_size;
 };
 
 inline DataBlock::~DataBlock()
diff --git a/src/Stats.cc b/src/Stats.cc
index c4b0ed45b1..6cf9a622e1 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -160,7 +160,7 @@ void ProfileLogger::Log()
 	file->Write(fmt("%.06f Connections expired due to inactivity: %d\n",
 		network_time, killed_by_inactivity));
 
-	file->Write(fmt("%.06f Total reassembler data: %dK\n", network_time,
+	file->Write(fmt("%.06f Total reassembler data: %"PRIu64"K\n", network_time,
 		Reassembler::TotalMemoryAllocation() / 1024));
 
 	// Signature engine.
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index b280cbb6f8..b840e1bbd4 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -203,7 +203,7 @@ void Analyzer::Done()
 	finished = true;
 	}
 
-void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq,
+void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64 seq,
 				const IP_Hdr* ip, int caplen)
 	{
 	if ( skip )
@@ -250,7 +250,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 		}
 	}
 
-void Analyzer::NextUndelivered(int seq, int len, bool is_orig)
+void Analyzer::NextUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	if ( skip )
 		return;
@@ -287,7 +287,7 @@ void Analyzer::NextEndOfData(bool is_orig)
 	}
 
 void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen)
+				uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	if ( output_handler )
 		output_handler->DeliverPacket(len, data, is_orig, seq,
@@ -335,7 +335,7 @@ void Analyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 	AppendNewChildren();
 	}
 
-void Analyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+void Analyzer::ForwardUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	if ( output_handler )
 		output_handler->Undelivered(seq, len, is_orig);
@@ -595,9 +595,9 @@ SupportAnalyzer* Analyzer::FirstSupportAnalyzer(bool orig)
 	}
 
 void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen)
+				uint64 seq, const IP_Hdr* ip, int caplen)
 	{
-	DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+	DBG_LOG(DBG_ANALYZER, "%s DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]",
 			fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen,
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
@@ -609,9 +609,9 @@ void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
 
-void Analyzer::Undelivered(int seq, int len, bool is_orig)
+void Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
-	DBG_LOG(DBG_ANALYZER, "%s Undelivered(%d, %d, %s)",
+	DBG_LOG(DBG_ANALYZER, "%s Undelivered(%"PRIu64", %d, %s)",
 			fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F");
 	}
 
@@ -793,7 +793,7 @@ SupportAnalyzer* SupportAnalyzer::Sibling(bool only_active) const
 	}
 
 void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
 
@@ -834,7 +834,7 @@ void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
 		Parent()->DeliverStream(len, data, is_orig);
 	}
 
-void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+void SupportAnalyzer::ForwardUndelivered(uint64 seq, int len, bool is_orig)
 	{
 	// We do not call parent's method, as we're replacing the functionality.
 
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 578020082b..f32181b9e7 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -44,7 +44,7 @@ public:
 	 * Analyzer::DeliverPacket().
 	 */
 	virtual void DeliverPacket(int len, const u_char* data,
-				   bool orig, int seq,
+				   bool orig, uint64 seq,
 				   const IP_Hdr* ip, int caplen)
 		{ }
 
@@ -59,7 +59,7 @@ public:
 	 * Hook for receiving notification of stream gaps. Parameters are the
 	 * same as for Analyzer::Undelivered().
 	 */
-	virtual void Undelivered(int seq, int len, bool orig)	{ }
+	virtual void Undelivered(uint64 seq, int len, bool orig)	{ }
 };
 
 /**
@@ -143,7 +143,7 @@ public:
 	 * @param caplen The packet's capture length, if available.
 	 */
 	void NextPacket(int len, const u_char* data, bool is_orig,
-			int seq = -1, const IP_Hdr* ip = 0, int caplen = 0);
+			uint64 seq = -1, const IP_Hdr* ip = 0, int caplen = 0);
 
 	/**
 	 * Passes stream input to the analyzer for processing. The analyzer
@@ -173,7 +173,7 @@ public:
 	 *
 	 * @param is_orig True if this is about originator-side input.
 	 */
-	void NextUndelivered(int seq, int len, bool is_orig);
+	void NextUndelivered(uint64 seq, int len, bool is_orig);
 
 	/**
 	 * Reports a message boundary.  This is a generic method that can be
@@ -195,7 +195,7 @@ public:
 	 * Parameters are the same as for NextPacket().
 	 */
 	virtual void ForwardPacket(int len, const u_char* data,
-					bool orig, int seq,
+					bool orig, uint64 seq,
 					const IP_Hdr* ip, int caplen);
 
 	/**
@@ -212,7 +212,7 @@ public:
 	 *
 	 * Parameters are the same as for NextUndelivered().
 	 */
-	virtual void ForwardUndelivered(int seq, int len, bool orig);
+	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
 
 	/**
 	 * Forwards an end-of-data notification on to all child analyzers.
@@ -227,7 +227,7 @@ public:
 	 * Parameters are the same.
 	 */
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	/**
 	 * Hook for accessing stream input for parsing. This is called by
@@ -241,7 +241,7 @@ public:
 	 * NextUndelivered() and can be overridden by derived classes.
 	 * Parameters are the same.
 	 */
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	/**
 	 * Hook for accessing end-of-data notifications. This is called by
@@ -749,7 +749,7 @@ public:
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
 	virtual void ForwardPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	/**
 	* Passes stream input to the next sibling SupportAnalyzer if any, or
@@ -769,7 +769,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardUndelivered(int seq, int len, bool orig);
+	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
 
 protected:
 	friend class Analyzer;
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index 070a3ef3e1..a1e00e9b38 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -22,7 +22,7 @@ void AYIYA_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
index f5bb379cf4..2739ff2bba 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ b/src/analyzer/protocol/ayiya/AYIYA.h
@@ -12,7 +12,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new AYIYA_Analyzer(conn); }
diff --git a/src/analyzer/protocol/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc
index a466938ff6..984b2a5dcf 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.cc
+++ b/src/analyzer/protocol/backdoor/BackDoor.cc
@@ -46,7 +46,7 @@ void BackDoorEndpoint::FinalCheckForRlogin()
 		}
 	}
 
-int BackDoorEndpoint::DataSent(double /* t */, int seq,
+int BackDoorEndpoint::DataSent(double /* t */, uint64 seq,
 				int len, int caplen, const u_char* data,
 				const IP_Hdr* /* ip */,
 				const struct tcphdr* /* tp */)
@@ -60,8 +60,8 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq,
 	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= max_top_seq )
 		// There is no new data in this packet.
@@ -124,7 +124,7 @@ RecordVal* BackDoorEndpoint::BuildStats()
 	return stats;
 	}
 
-void BackDoorEndpoint::CheckForRlogin(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForRlogin(uint64 seq, int len, const u_char* data)
 	{
 	if ( rlogin_checking_done )
 		return;
@@ -177,7 +177,7 @@ void BackDoorEndpoint::CheckForRlogin(int seq, int len, const u_char* data)
 
 	if ( seq < max_top_seq )
 		{ // trim to just the new data
-		int delta = max_top_seq - seq;
+		int64 delta = max_top_seq - seq;
 		seq += delta;
 		data += delta;
 		len -= delta;
@@ -255,7 +255,7 @@ void BackDoorEndpoint::RloginSignatureFound(int len)
 	endp->TCP()->ConnectionEvent(rlogin_signature_found, vl);
 	}
 
-void BackDoorEndpoint::CheckForTelnet(int /* seq */, int len, const u_char* data)
+void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
 	{
 	if ( len >= 3 &&
 	     data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) )
@@ -346,7 +346,7 @@ void BackDoorEndpoint::TelnetSignatureFound(int len)
 	endp->TCP()->ConnectionEvent(telnet_signature_found, vl);
 	}
 
-void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 &&
 	     (data[4] == '1' || data[4] == '2') )
@@ -363,8 +363,9 @@ void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
 
 	if ( seq > max_top_seq )
 		{ // Estimate number of packets in the sequence gap
-		int gap = seq - max_top_seq;
-		num_pkts += int((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
+		int64 gap = seq - max_top_seq;
+		if ( gap > 0 )
+			num_pkts += uint64((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
 		}
 
 	++num_pkts;
@@ -388,7 +389,7 @@ void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
 		}
 	}
 
-void BackDoorEndpoint::CheckForRootBackdoor(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForRootBackdoor(uint64 seq, int len, const u_char* data)
 	{
 	// Check for root backdoor signature: an initial payload of
 	// exactly "# ".
@@ -397,7 +398,7 @@ void BackDoorEndpoint::CheckForRootBackdoor(int seq, int len, const u_char* data
 		SignatureFound(root_backdoor_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForFTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForFTP(uint64 seq, int len, const u_char* data)
 	{
 	// Check for FTP signature
 	//
@@ -429,7 +430,7 @@ void BackDoorEndpoint::CheckForFTP(int seq, int len, const u_char* data)
 		SignatureFound(ftp_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForNapster(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForNapster(uint64 seq, int len, const u_char* data)
 	{
 	// Check for Napster signature "GETfoobar" or "SENDfoobar" where
 	// "foobar" is the Napster handle associated with the request
@@ -449,7 +450,7 @@ void BackDoorEndpoint::CheckForNapster(int seq, int len, const u_char* data)
 		SignatureFound(napster_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForSMTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForSMTP(uint64 seq, int len, const u_char* data)
 	{
 	const char* smtp_handshake[] = { "HELO", "EHLO", 0 };
 
@@ -460,7 +461,7 @@ void BackDoorEndpoint::CheckForSMTP(int seq, int len, const u_char* data)
 		SignatureFound(smtp_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForIRC(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForIRC(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq != 1 || is_partial )
 		return;
@@ -475,7 +476,7 @@ void BackDoorEndpoint::CheckForIRC(int seq, int len, const u_char* data)
 		SignatureFound(irc_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForGnutella(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForGnutella(uint64 seq, int len, const u_char* data)
 	{
 	// After connecting to the server, the connecting client says:
 	//
@@ -492,13 +493,13 @@ void BackDoorEndpoint::CheckForGnutella(int seq, int len, const u_char* data)
 		SignatureFound(gnutella_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForGaoBot(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForGaoBot(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) )
 		SignatureFound(gaobot_signature_found);
 	}
 
-void BackDoorEndpoint::CheckForKazaa(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForKazaa(uint64 seq, int len, const u_char* data)
 	{
 	// *Some*, though not all, KaZaa connections begin with:
 	//
@@ -565,7 +566,7 @@ int is_absolute_url(const u_char* data, int len)
 	return *abs_url_sig_pos == '\0';
 	}
 
-void BackDoorEndpoint::CheckForHTTP(int seq, int len, const u_char* data)
+void BackDoorEndpoint::CheckForHTTP(uint64 seq, int len, const u_char* data)
 	{
 	// According to the RFC, we should look for
 	// '<method> SP <url> SP HTTP/<version> CR LF'
@@ -629,7 +630,7 @@ void BackDoorEndpoint::CheckForHTTP(int seq, int len, const u_char* data)
 		}
 	}
 
-void BackDoorEndpoint::CheckForHTTPProxy(int /* seq */, int len,
+void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
 					const u_char* data)
 	{
 	// Proxy ONLY accepts absolute URI's: "The absoluteURI form is
@@ -713,7 +714,7 @@ void BackDoor_Analyzer::Init()
 	}
 
 void BackDoor_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h
index 5bc8a67381..b1b95ca3f8 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.h
+++ b/src/analyzer/protocol/backdoor/BackDoor.h
@@ -14,7 +14,7 @@ class BackDoorEndpoint {
 public:
 	BackDoorEndpoint(tcp::TCP_Endpoint* e);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -22,23 +22,23 @@ public:
 	void FinalCheckForRlogin();
 
 protected:
-	void CheckForRlogin(int seq, int len, const u_char* data);
+	void CheckForRlogin(uint64 seq, int len, const u_char* data);
 	void RloginSignatureFound(int len);
 
-	void CheckForTelnet(int seq, int len, const u_char* data);
+	void CheckForTelnet(uint64 seq, int len, const u_char* data);
 	void TelnetSignatureFound(int len);
 
-	void CheckForSSH(int seq, int len, const u_char* data);
-	void CheckForFTP(int seq, int len, const u_char* data);
-	void CheckForRootBackdoor(int seq, int len, const u_char* data);
-	void CheckForNapster(int seq, int len, const u_char* data);
-	void CheckForGnutella(int seq, int len, const u_char* data);
-	void CheckForKazaa(int seq, int len, const u_char* data);
-	void CheckForHTTP(int seq, int len, const u_char* data);
-	void CheckForHTTPProxy(int seq, int len, const u_char* data);
-	void CheckForSMTP(int seq, int len, const u_char* data);
-	void CheckForIRC(int seq, int len, const u_char* data);
-	void CheckForGaoBot(int seq, int len, const u_char* data);
+	void CheckForSSH(uint64 seq, int len, const u_char* data);
+	void CheckForFTP(uint64 seq, int len, const u_char* data);
+	void CheckForRootBackdoor(uint64 seq, int len, const u_char* data);
+	void CheckForNapster(uint64 seq, int len, const u_char* data);
+	void CheckForGnutella(uint64 seq, int len, const u_char* data);
+	void CheckForKazaa(uint64 seq, int len, const u_char* data);
+	void CheckForHTTP(uint64 seq, int len, const u_char* data);
+	void CheckForHTTPProxy(uint64 seq, int len, const u_char* data);
+	void CheckForSMTP(uint64 seq, int len, const u_char* data);
+	void CheckForIRC(uint64 seq, int len, const u_char* data);
+	void CheckForGaoBot(uint64 seq, int len, const u_char* data);
 
 	void SignatureFound(EventHandlerPtr e, int do_orig = 0);
 
@@ -48,11 +48,11 @@ protected:
 
 	tcp::TCP_Endpoint* endp;
 	int is_partial;
-	int max_top_seq;
+	uint64 max_top_seq;
 
 	int rlogin_checking_done;
 	int rlogin_num_null;
-	int rlogin_string_separator_pos;
+	uint64 rlogin_string_separator_pos;
 	int rlogin_slash_seen;
 
 	uint32 num_pkts;
@@ -80,7 +80,7 @@ protected:
 	// We support both packet and stream input, and can be instantiated
 	// even if the TCP analyzer is not yet reassembling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	void StatEvent();
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc
index 99fd9dc132..cb6fc0945e 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@@ -68,7 +68,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
+void BitTorrent_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h
index 7739463052..2e303f4038 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 98adcaa610..43ee6a2b21 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -207,7 +207,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 		}
 	}
 
-void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
+void BitTorrentTracker_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
index b041e556b7..2fa5d684cd 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
@@ -49,7 +49,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc
index 227a4b1be2..5bfeb2bf90 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@@ -36,7 +36,7 @@ void ConnSize_Analyzer::Done()
 	Analyzer::Done();
 	}
 
-void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h
index 25f096dd32..ec3b85c0d9 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.h
+++ b/src/analyzer/protocol/conn-size/ConnSize.h
@@ -26,7 +26,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 
 	uint64_t orig_bytes;
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index 1fa8759fbf..78b1c6be69 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -21,7 +21,7 @@ void DHCP_Analyzer::Done()
 	}
 
 void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool orig, int seq, const IP_Hdr* ip, int caplen)
+			bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->NewData(orig, data, data + len);
diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h
index a1c06e8b85..7633d71351 100644
--- a/src/analyzer/protocol/dhcp/DHCP.h
+++ b/src/analyzer/protocol/dhcp/DHCP.h
@@ -14,7 +14,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new DHCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc
index ee90a0c74d..9d9ddf0c35 100644
--- a/src/analyzer/protocol/dnp3/DNP3.cc
+++ b/src/analyzer/protocol/dnp3/DNP3.cc
@@ -153,7 +153,7 @@ void DNP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void DNP3_Analyzer::Undelivered(int seq, int len, bool orig)
+void DNP3_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h
index b84d3874b4..a0578808a8 100644
--- a/src/analyzer/protocol/dnp3/DNP3.h
+++ b/src/analyzer/protocol/dnp3/DNP3.h
@@ -14,7 +14,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index a97c7b8632..baa95f46de 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1146,7 +1146,7 @@ void DNS_Analyzer::Done()
 	}
 
 void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index af4b8de22f..2cc1615b04 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -258,7 +258,7 @@ public:
 	~DNS_Analyzer();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	virtual void Init();
 	virtual void Done();
diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 4476043721..7af16165e3 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -34,7 +34,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	return;
 	}
 
-void File_Analyzer::Undelivered(int seq, int len, bool orig)
+void File_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	}
@@ -79,10 +79,10 @@ void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
 	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
-void IRC_Data::Undelivered(int seq, int len, bool orig)
+void IRC_Data::Undelivered(uint64 seq, int len, bool orig)
 	{
 	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
+	file_mgr->Gap(seq - 1, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
 FTP_Data::FTP_Data(Connection* conn)
@@ -102,8 +102,8 @@ void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
 	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
 	}
 
-void FTP_Data::Undelivered(int seq, int len, bool orig)
+void FTP_Data::Undelivered(uint64 seq, int len, bool orig)
 	{
 	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
+	file_mgr->Gap(seq - 1, len, GetAnalyzerTag(), Conn(), orig);
 	}
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 7afbd569c4..f83ec82a49 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -17,7 +17,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	void Undelivered(int seq, int len, bool orig);
+	void Undelivered(uint64 seq, int len, bool orig);
 
 //	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 //		{ return new File_Analyzer(conn); }
@@ -38,7 +38,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new IRC_Data(conn); }
@@ -52,7 +52,7 @@ public:
 
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new FTP_Data(conn); }
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc
index 0a94a28554..361e602b5f 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.cc
+++ b/src/analyzer/protocol/gtpv1/GTPv1.cc
@@ -23,7 +23,7 @@ void GTPv1_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	try
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
index b58405ea7f..eebaf1d83e 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ b/src/analyzer/protocol/gtpv1/GTPv1.h
@@ -12,7 +12,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new GTPv1_Analyzer(conn); }
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f676643b7c..2eaff3f8c6 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1115,11 +1115,11 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 		}
 	}
 
-void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+void HTTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
-	// DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length);
+	// DEBUG_MSG("Undelivered from %"PRIu64": %d bytes\n", seq, length);
 
 	HTTP_Message* msg =
 		is_orig ? request_message : reply_message;
@@ -1131,7 +1131,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
 		{
 		if ( msg )
 			msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
-				fmt("seq=%d, len=%d", seq, len));
+				fmt("seq=%"PRIu64", len=%d", seq, len));
 		}
 
 	// Check if the content gap falls completely within a message body
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 48a611b63b..6b44130505 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -161,7 +161,7 @@ public:
 	HTTP_Analyzer(Connection* conn);
 	~HTTP_Analyzer();
 
-	void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len);
+	void Undelivered(tcp::TCP_Endpoint* sender, uint64 seq, int len);
 
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, const BroString* entity_data);
@@ -177,7 +177,7 @@ public:
 	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 510d3b3a80..393b5536e8 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -31,7 +31,7 @@ void ICMP_Analyzer::Done()
 	}
 
 void ICMP_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+			bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	assert(ip);
 
diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h
index e371f53889..116348cce6 100644
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@@ -29,7 +29,7 @@ protected:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
diff --git a/src/analyzer/protocol/interconn/InterConn.cc b/src/analyzer/protocol/interconn/InterConn.cc
index 4b298eaa52..eb529cbb6d 100644
--- a/src/analyzer/protocol/interconn/InterConn.cc
+++ b/src/analyzer/protocol/interconn/InterConn.cc
@@ -24,7 +24,7 @@ InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e)
 
 #define NORMAL_LINE_LENGTH 80
 
-int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
+int InterConnEndpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		const u_char* data, const IP_Hdr* /* ip */,
 		const struct tcphdr* /* tp */)
 	{
@@ -37,8 +37,8 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
 	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= max_top_seq )
 		// There is no new data in this packet
@@ -46,7 +46,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
 
 	if ( seq < max_top_seq )
 		{ // Only consider new data
-		int amount_seen = max_top_seq - seq;
+		int64 amount_seen = max_top_seq - seq;
 		seq += amount_seen;
 		data += amount_seen;
 		len -= amount_seen;
@@ -184,7 +184,7 @@ void InterConn_Analyzer::Init()
 	}
 
 void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+			bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
 						seq, ip, caplen);
diff --git a/src/analyzer/protocol/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h
index b13abecab1..a485e05082 100644
--- a/src/analyzer/protocol/interconn/InterConn.h
+++ b/src/analyzer/protocol/interconn/InterConn.h
@@ -13,7 +13,7 @@ class InterConnEndpoint : public BroObj {
 public:
 	InterConnEndpoint(tcp::TCP_Endpoint* e);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -25,7 +25,7 @@ protected:
 
 	tcp::TCP_Endpoint* endp;
 	double last_keystroke_time;
-	int max_top_seq;
+	uint64 max_top_seq;
 	uint32 num_pkts;
 	uint32 num_keystrokes_two_in_a_row;
 	uint32 num_normal_interarrivals;
@@ -56,7 +56,7 @@ protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassembling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	void StatEvent();
diff --git a/src/analyzer/protocol/modbus/Modbus.cc b/src/analyzer/protocol/modbus/Modbus.cc
index 9d216d356b..f003ad6cc5 100644
--- a/src/analyzer/protocol/modbus/Modbus.cc
+++ b/src/analyzer/protocol/modbus/Modbus.cc
@@ -31,7 +31,7 @@ void ModbusTCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	interp->NewData(orig, data, data + len);
 	}
 
-void ModbusTCP_Analyzer::Undelivered(int seq, int len, bool orig)
+void ModbusTCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h
index 6f566be828..41448f69e3 100644
--- a/src/analyzer/protocol/modbus/Modbus.h
+++ b/src/analyzer/protocol/modbus/Modbus.h
@@ -14,7 +14,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 75b6c9f4be..3858f0b2ad 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -211,7 +211,7 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		}
 	}
 
-void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig)
+void Contents_NCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index 34174df74e..2e06babb8c 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -90,7 +90,7 @@ public:
 
 protected:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	NCP_FrameBuffer buffer;
 	NCP_Session* session;
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 4d6ed8e1f1..d65a152b2f 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -513,7 +513,7 @@ void NetbiosSSN_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint,
 	}
 
 void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h
index 7c2728ef9a..7fbe967841 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.h
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.h
@@ -146,7 +146,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new NetbiosSSN_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
index b4b63d5634..5778da9a0e 100644
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -25,7 +25,7 @@ void NTP_Analyzer::Done()
 	Event(udp_session_done);
 	}
 
-void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index 201c5a8774..87255fd2e4 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -46,7 +46,7 @@ public:
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	int Request(const u_char* data, int len);
 	int Reply(const u_char* data, int len);
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 388d1d501d..24d4565ce1 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -30,7 +30,7 @@ void PIA::ClearBuffer(Buffer* buffer)
 	buffer->size = 0;
 	}
 
-void PIA::AddToBuffer(Buffer* buffer, int seq, int len, const u_char* data,
+void PIA::AddToBuffer(Buffer* buffer, uint64 seq, int len, const u_char* data,
 			bool is_orig)
 	{
 	u_char* tmp = 0;
@@ -77,7 +77,7 @@ void PIA::PIA_Done()
 	FinishEndpointMatcher();
 	}
 
-void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, int seq,
+void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq,
 				const IP_Hdr* ip, int caplen)
 	{
 	if ( pkt_buffer.state == SKIPPING )
@@ -256,7 +256,7 @@ void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
 	stream_buffer.state = new_state;
 	}
 
-void PIA_TCP::Undelivered(int seq, int len, bool is_orig)
+void PIA_TCP::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
@@ -337,8 +337,8 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 		new tcp::TCP_Reassembler(this, tcp, tcp::TCP_Reassembler::Direct,
 					tcp->Resp());
 
-	int orig_seq = 0;
-	int resp_seq = 0;
+	uint64 orig_seq = 0;
+	uint64 resp_seq = 0;
 
 	for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
 		{
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index d8c272d219..db387769e8 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -42,7 +42,7 @@ public:
 protected:
 	void PIA_Done();
 	void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
-				int seq, const IP_Hdr* ip, int caplen);
+				uint64 seq, const IP_Hdr* ip, int caplen);
 
 	enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
 
@@ -52,7 +52,7 @@ protected:
 		const u_char* data;
 		bool is_orig;
 		int len;
-		int seq;
+		uint64 seq;
 		DataBlock* next;
 	};
 
@@ -65,7 +65,7 @@ protected:
 		State state;
 	};
 
-	void AddToBuffer(Buffer* buffer, int seq, int len,
+	void AddToBuffer(Buffer* buffer, uint64 seq, int len,
 				const u_char* data, bool is_orig);
 	void AddToBuffer(Buffer* buffer, int len,
 				const u_char* data, bool is_orig);
@@ -105,7 +105,7 @@ protected:
 		}
 
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
@@ -150,14 +150,14 @@ protected:
 		}
 
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		}
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(int seq, int len, bool is_orig);
+	virtual void Undelivered(uint64 seq, int len, bool is_orig);
 
 	virtual void ActivateAnalyzer(analyzer::Tag tag,
 					const Rule* rule = 0);
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index 1ffc7dd26e..38ed229a10 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -399,7 +399,7 @@ Contents_RPC::~Contents_RPC()
 	{
 	}
 
-void Contents_RPC::Undelivered(int seq, int len, bool orig)
+void Contents_RPC::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_SupportAnalyzer::Undelivered(seq, len, orig);
 	NeedResync();
@@ -704,7 +704,7 @@ RPC_Analyzer::~RPC_Analyzer()
 	}
 
 void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	len = min(len, caplen);
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index a705d272f6..e87f8afa95 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -203,7 +203,7 @@ protected:
 	virtual void Init();
 	virtual bool CheckResync(int& len, const u_char*& data, bool orig);
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	virtual void NeedResync() {
 		resync_state = NEED_RESYNC;
@@ -234,7 +234,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index c3fb21b6a4..c0e34ce6f1 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -76,14 +76,14 @@ void SMTP_Analyzer::Done()
 		EndData();
 	}
 
-void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+void SMTP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
 	if ( len <= 0 )
 		return;
 
-	const char* buf = fmt("seq = %d, len = %d", seq, len);
+	const char* buf = fmt("seq = %"PRIu64", len = %d", seq, len);
 	int buf_len = strlen(buf);
 
 	Unexpected(is_orig, "content gap", buf_len, buf);
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index cc12167d30..de9dc346ff 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -44,7 +44,7 @@ public:
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void ConnectionFinished(int half_finished);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc
index 76212d822b..e678528f35 100644
--- a/src/analyzer/protocol/socks/SOCKS.cc
+++ b/src/analyzer/protocol/socks/SOCKS.cc
@@ -86,7 +86,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void SOCKS_Analyzer::Undelivered(int seq, int len, bool orig)
+void SOCKS_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h
index f005967fd8..2c72d507e6 100644
--- a/src/analyzer/protocol/socks/SOCKS.h
+++ b/src/analyzer/protocol/socks/SOCKS.h
@@ -23,7 +23,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc
index 6cd2fa59f8..5e5d24888a 100644
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@@ -57,7 +57,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	}
 
-void SSL_Analyzer::Undelivered(int seq, int len, bool orig)
+void SSL_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 	had_gap = true;
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index f674d64fed..7748222dea 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -16,7 +16,7 @@ public:
 	// Overriden from Analyzer.
 	virtual void Done();
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
 	virtual void EndpointEOF(bool is_orig);
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.cc b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
index 09a7444213..b6473dcf6e 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@@ -63,7 +63,7 @@ void SteppingStoneEndpoint::Done()
 	Event(stp_remove_endp, stp_id);
 	}
 
-int SteppingStoneEndpoint::DataSent(double t, int seq, int len, int caplen,
+int SteppingStoneEndpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		const u_char* data, const IP_Hdr* /* ip */,
 		const struct tcphdr* tp)
 	{
@@ -90,8 +90,8 @@ int SteppingStoneEndpoint::DataSent(double t, int seq, int len, int caplen,
 			break;
 		}
 
-	int ack = endp->AckSeq() - endp->StartSeq();
-	int top_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 top_seq = seq + len;
 
 	if ( top_seq <= ack || top_seq <= stp_max_top_seq )
 		// There is no new data in this packet
@@ -179,7 +179,7 @@ void SteppingStone_Analyzer::Init()
 	}
 
 void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
-						bool is_orig, int seq,
+						bool is_orig, uint64 seq,
 						const IP_Hdr* ip, int caplen)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h
index 1471c08a3b..518cd64a21 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@@ -22,7 +22,7 @@ public:
 	~SteppingStoneEndpoint();
 	void Done();
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 
 protected:
@@ -30,7 +30,7 @@ protected:
 	void CreateEndpEvent(int is_orig);
 
 	tcp::TCP_Endpoint* endp;
-	int stp_max_top_seq;
+	uint64 stp_max_top_seq;
 	double stp_last_time;
 	double stp_resume_time;
 	SteppingStoneManager* stp_manager;
@@ -60,7 +60,7 @@ protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassebmling.
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 
 	int orig_stream_pos;
diff --git a/src/analyzer/protocol/syslog/Syslog.cc b/src/analyzer/protocol/syslog/Syslog.cc
index 2b783afc64..5e5ce907e6 100644
--- a/src/analyzer/protocol/syslog/Syslog.cc
+++ b/src/analyzer/protocol/syslog/Syslog.cc
@@ -28,7 +28,7 @@ void Syslog_Analyzer::Done()
 		Event(udp_session_done);
 	}
 
-void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 	interp->NewData(orig, data, data + len);
@@ -88,7 +88,7 @@ void Syslog_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int
 //	interp->NewData(orig, data, data + len);
 //	}
 
-//void Syslog_tcp::TCP_Analyzer::Undelivered(int seq, int len, bool orig)
+//void Syslog_tcp::TCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 //	{
 //	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 //	interp->NewGap(orig, len);
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h
index 355863e36e..619ddb39ba 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Syslog_Analyzer(conn); }
@@ -38,7 +38,7 @@ protected:
 //
 //	virtual void Done();
 //	virtual void DeliverStream(int len, const u_char* data, bool orig);
-//	virtual void Undelivered(int seq, int len, bool orig);
+//	virtual void Undelivered(uint64 seq, int len, bool orig);
 //	virtual void EndpointEOF(tcp::TCP_Reassembler* endp);
 //
 //	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index 63a3c07f00..72314dd45d 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -109,7 +109,7 @@ void ContentLine_Analyzer::DeliverStream(int len, const u_char* data,
 	seq += len;
 	}
 
-void ContentLine_Analyzer::Undelivered(int seq, int len, bool orig)
+void ContentLine_Analyzer::Undelivered(uint64 seq, int len, bool orig)
 	{
 	ForwardUndelivered(seq, len, orig);
 	}
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index ecc1347984..93c473c47c 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -53,14 +53,14 @@ public:
 	void SkipBytesAfterThisLine(int64_t length);
 	void SkipBytes(int64_t length);
 
-	bool IsSkippedContents(int64_t seq, int64_t length)
+	bool IsSkippedContents(uint64_t seq, int64_t length)
 		{ return seq + length <= seq_to_skip; }
 
 protected:
 	ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void EndpointEOF(bool is_orig);
 
 	class State;
@@ -71,19 +71,19 @@ protected:
 	void CheckNUL();
 
 	// Returns the sequence number delivered so far.
-	int64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
+	uint64_t SeqDelivered() const	{ return seq_delivered_in_lines; }
 
 	u_char* buf;	// where we build up the body of the request
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
 
-	int64_t seq;	// last seq number
-	int64_t seq_to_skip;
+	uint64_t seq;	// last seq number
+	uint64_t seq_to_skip;
 
 	// Seq delivered up to through NewLine() -- it is adjusted
 	// *before* NewLine() is called.
-	int64_t seq_delivered_in_lines;
+	uint64_t seq_delivered_in_lines;
 
 	// Number of bytes to be skipped after this line. See
 	// comments in SkipBytesAfterThisLine().
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index c422d01f32..552a73b7ea 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -36,1088 +36,8 @@ namespace { // local namespace
 static const int ORIG = 1;
 static const int RESP = 2;
 
-TCP_Analyzer::TCP_Analyzer(Connection* conn)
-: TransportLayerAnalyzer("TCP", conn)
-	{
-	// Set a timer to eventually time out this connection.
-	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
-				network_time + tcp_SYN_timeout, 0,
-				TIMER_TCP_EXPIRE);
-
-	deferred_gen_event = close_deferred = 0;
-
-	seen_first_ACK = 0;
-	is_active = 1;
-	finished = 0;
-	reassembling = 0;
-	first_packet_seen = 0;
-	is_partial = 0;
-
-	orig = new TCP_Endpoint(this, 1);
-	resp = new TCP_Endpoint(this, 0);
-
-	orig->SetPeer(resp);
-	resp->SetPeer(orig);
-	}
-
-TCP_Analyzer::~TCP_Analyzer()
-	{
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		delete *i;
-
-	delete orig;
-	delete resp;
-	}
-
-void TCP_Analyzer::Init()
-	{
-	Analyzer::Init();
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->Init();
-	}
-
-void TCP_Analyzer::Done()
-	{
-	Analyzer::Done();
-
-	if ( connection_pending && is_active && ! BothClosed() )
-		Event(connection_pending);
-
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->Done();
-
-	orig->Done();
-	resp->Done();
-
-	finished = 1;
-	}
-
-void TCP_Analyzer::EnableReassembly()
-	{
-	SetReassembler(new TCP_Reassembler(this, this,
-	                                   TCP_Reassembler::Forward, orig),
-	               new TCP_Reassembler(this, this,
-	                                   TCP_Reassembler::Forward, resp));
-
-	reassembling = 1;
-
-	if ( new_connection_contents )
-		Event(new_connection_contents);
-	}
-
-void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
-					TCP_Reassembler* rresp)
-	{
-	orig->AddReassembler(rorig);
-	rorig->SetDstAnalyzer(this);
-	resp->AddReassembler(rresp);
-	rresp->SetDstAnalyzer(this);
-
-	reassembling = 1;
-
-	if ( new_connection_contents )
-		Event(new_connection_contents);
-	}
-
-const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
-							int& len, int& caplen)
-	{
-	const struct tcphdr* tp = (const struct tcphdr*) data;
-	uint32 tcp_hdr_len = tp->th_off * 4;
-
-	if ( tcp_hdr_len < sizeof(struct tcphdr) )
-		{
-		Weird("bad_TCP_header_len");
-		return 0;
-		}
-
-	if ( tcp_hdr_len > uint32(len) ||
-	     sizeof(struct tcphdr) > uint32(caplen) )
-		{
-		// This can happen even with the above test, due to TCP
-		// options.
-		Weird("truncated_header");
-		return 0;
-		}
-
-	len -= tcp_hdr_len;	// remove TCP header
-	caplen -= tcp_hdr_len;
-	data += tcp_hdr_len;
-
-	return tp;
-	}
-
-bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
-				TCP_Endpoint* endpoint, int len, int caplen)
-	{
-	if ( ! ignore_checksums && caplen >= len &&
-	     ! endpoint->ValidChecksum(tp, len) )
-		{
-		Weird("bad_TCP_checksum");
-		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
-		return false;
-		}
-	else
-		return true;
-	}
-
-void TCP_Analyzer::CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
-					uint32 base_seq, int len, int dst_port)
-	{
-	bool is_orig = endpoint->IsOrig();
-
-	if ( is_orig && ! (first_packet_seen & ORIG) )
-		is_partial = ! flags.SYN() || flags.ACK();
-
-	if ( ! is_orig && ! (first_packet_seen & RESP) && ! is_partial )
-		is_partial = ! flags.SYN();
-
-	int bits_set = (flags.SYN() ? 1 : 0) + (flags.FIN() ? 1 : 0) +
-			(flags.RST() ? 1 : 0);
-	if ( bits_set > 1 )
-		{
-		if ( flags.FIN() && flags.RST() )
-			endpoint->CheckHistory(HIST_FIN_RST_PKT, 'I');
-		else
-			endpoint->CheckHistory(HIST_MULTI_FLAG_PKT, 'Q');
-		}
-
-	else if ( bits_set == 1 )
-		{
-		if ( flags.SYN() )
-			{
-			char code = flags.ACK() ? 'H' : 'S';
-
-			if ( endpoint->CheckHistory(HIST_SYN_PKT, code) &&
-			     base_seq != endpoint->hist_last_SYN )
-				endpoint->AddHistory(code);
-
-			endpoint->hist_last_SYN = base_seq;
-			}
-
-		if ( flags.FIN() )
-			{
-			// For FIN's, the sequence number comes at the
-			// end of (any data in) the packet, not the
-			// beginning as for SYNs and RSTs.
-			if ( endpoint->CheckHistory(HIST_FIN_PKT, 'F') &&
-			     base_seq + len != endpoint->hist_last_FIN )
-				endpoint->AddHistory('F');
-
-			endpoint->hist_last_FIN = base_seq + len;
-			}
-
-		if ( flags.RST() )
-			{
-			if ( endpoint->CheckHistory(HIST_RST_PKT, 'R') &&
-			     base_seq != endpoint->hist_last_RST )
-				endpoint->AddHistory('R');
-
-			endpoint->hist_last_RST = base_seq;
-			}
-		}
-
-	else
-		{ // bits_set == 0
-		if ( len )
-			endpoint->CheckHistory(HIST_DATA_PKT, 'D');
-
-		else if ( flags.ACK() )
-			endpoint->CheckHistory(HIST_ACK_PKT, 'A');
-		}
-	}
-
-void TCP_Analyzer::UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
-				uint32 base_seq, uint32 ack_seq,
-				TCP_Flags flags)
-	{
-	// Note, the offered window on an initial SYN is unscaled, even
-	// if the SYN includes scaling, so we need to do the following
-	// test *before* updating the scaling information below.  (Hmmm,
-	// how does this work for windows on SYN/ACKs? ###)
-	int scale = endpoint->window_scale;
-	window = window << scale;
-
-	// Don't analyze window values off of SYNs, they're sometimes
-	// immediately rescinded.
-	if ( ! flags.SYN() )
-		{
-		// ### Decide whether to accept new window based on Active
-		// Mapping policy.
-		if ( int(base_seq - endpoint->window_seq) >= 0 &&
-		     int(ack_seq - endpoint->window_ack_seq) >= 0 )
-			{
-			uint32 new_edge = ack_seq + window;
-			uint32 old_edge = endpoint->window_ack_seq + endpoint->window;
-			int advance = new_edge - old_edge;
-
-			if ( advance < 0 )
-				{
-				// A window recision.  We don't report these
-				// for FINs or RSTs, or if the connection
-				// has already been partially closed, since
-				// such recisions occur frequently in practice,
-				// probably as the receiver loses buffer memory
-				// due to its process going away.
-				//
-				// We also, for window scaling, allow a bit
-				// of slop ###.  This is because sometimes
-				// there will be an apparent recision due
-				// to the granularity of the scaling.
-				if ( ! flags.FIN() && ! flags.RST() &&
-				     endpoint->state != TCP_ENDPOINT_CLOSED &&
-				     endpoint->state != TCP_ENDPOINT_RESET &&
-				     (-advance) >= (1 << scale) )
-					Weird("window_recision");
-				}
-
-			endpoint->window = window;
-			endpoint->window_ack_seq = ack_seq;
-			endpoint->window_seq = base_seq;
-			}
-		}
-	}
-
-void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
-				uint32 tcp_hdr_len, int& seq_len,
-				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 ack_seq,
-				const IPAddr& orig_addr,
-				int is_orig, TCP_Flags flags)
-	{
-	int len = seq_len;
-
-	++seq_len;	// SYN consumes a byte of sequence space
-
-	if ( flags.RST() )
-		Weird("TCP_christmas");
-
-	if ( flags.URG() )
-		Weird("baroque_SYN");
-
-	if ( len > 0 )
-		// T/TCP definitely complicates this.
-		Weird("SYN_with_data");
-
-	RecordVal* SYN_vals = BuildSYNPacketVal(is_orig, ip, tp)->AsRecordVal();
-
-	// ### In the following, we could be fooled by an
-	// inconsistent SYN retransmission.  Where's a normalizer
-	// when you need one?
-
-	// ### We know that field 5 is the window scaling ....
-	int scale = int(SYN_vals->Lookup(5)->CoerceToInt());
-
-	if ( scale < 0 )
-		{ // no window scaling option
-		if ( flags.ACK() )
-			{ // window scaling not negotiated
-			endpoint->window_scale = 0;
-			peer->window_scale = 0;
-			}
-		else
-			// We're not offering window scaling.
-			// Ideally, we'd remember this fact so that
-			// if the SYN/ACK *does* include window
-			// scaling, we know it won't be negotiated.
-			// But it's a pain to track that, and hard
-			// to see how an adversarial responder could
-			// use it to evade.  Also, if we *do* want
-			// to track it, we could do so using
-			// connection_SYN_packet.
-			endpoint->window_scale = 0;
-		}
-	else
-		{
-		endpoint->window_scale = scale;
-		endpoint->window_seq = base_seq;
-		endpoint->window_ack_seq = ack_seq;
-
-		peer->window_seq = ack_seq;
-		peer->window_ack_seq = base_seq;
-		}
-
-	if ( connection_SYN_packet )
-		{
-		val_list* vl = new val_list;
-		vl->append(BuildConnVal());
-		vl->append(SYN_vals);
-		ConnectionEvent(connection_SYN_packet, vl);
-		}
-	else
-		Unref(SYN_vals);
-
-	// Passive fingerprinting.
-	//
-	// is_orig will be removed once we can do SYN-ACK fingerprinting.
-	if ( OS_version_found && is_orig )
-		{
-		AddrVal src_addr_val(orig_addr);
-		if ( generate_OS_version_event->Size() == 0 ||
-		     generate_OS_version_event->Lookup(&src_addr_val) )
-			{
-			RecordVal* OS_val =
-				BuildOSVal(is_orig, ip, tp, tcp_hdr_len);
-			if ( OS_val )
-				{ // found new OS version
-				val_list* vl = new val_list;
-				vl->append(BuildConnVal());
-				vl->append(new AddrVal(orig_addr));
-				vl->append(OS_val);
-				ConnectionEvent(OS_version_found, vl);
-				}
-			}
-		}
-	}
-
-void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
-				int& seq_len, uint32 base_seq)
-	{
-	++seq_len;  // FIN consumes a byte of sequence space.
-	++endpoint->FIN_cnt;  // remember that we've seen a FIN
-
-	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-	     endpoint->FIN_cnt == tcp_storm_thresh )
-		Weird("FIN_storm");
-
-	// Remember the relative seq in FIN_seq.
-	endpoint->FIN_seq = base_seq - endpoint->StartSeq() + seq_len;
-	}
-
-void TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint,
-				const IP_Hdr* ip, uint32 base_seq,
-				int len, int& seq_len)
-	{
-	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
-	     ++endpoint->RST_cnt == tcp_storm_thresh )
-		Weird("RST_storm");
-
-	else if ( endpoint->RST_cnt == 0 )
-		++endpoint->RST_cnt;	// Remember we've seen a RST
-
-	if ( len > 0 )
-		{
-		// This now happens often enough that it's
-		// not in the least interesting.
-		// Weird("RST_with_data");
-
-		// Don't include the data in the computation of
-		// the sequence space for this connection, as
-		// it's not in fact part of the TCP stream.
-		seq_len = 0;
-		}
-
-	PacketWithRST();
-	}
-
-void TCP_Analyzer::ProcessFlags(double t,
-				const IP_Hdr* ip, const struct tcphdr* tp,
-				uint32 tcp_hdr_len, int len, int& seq_len,
-				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 ack_seq,
-				const IPAddr& orig_addr,
-				int is_orig, TCP_Flags flags)
-	{
-	if ( flags.SYN() )
-		ProcessSYN(ip, tp, tcp_hdr_len, seq_len, endpoint, peer,
-				base_seq, ack_seq, orig_addr, is_orig, flags);
-
-	if ( flags.FIN() )
-		ProcessFIN(t, endpoint, seq_len, base_seq);
-
-	if ( flags.RST() )
-		ProcessRST(t, endpoint, ip, base_seq, len, seq_len);
-
-	if ( flags.ACK() )
-		ProcessACK(endpoint, peer, ack_seq, is_orig, flags);
-	}
-
-void TCP_Analyzer::TransitionFromInactive(double t, TCP_Endpoint* endpoint,
-						uint32 base_seq,
-						uint32 last_seq, int SYN)
-	{
-	if ( SYN )
-		{
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-		endpoint->InitAckSeq(base_seq);
-		endpoint->InitStartSeq(base_seq);
-		}
-	else
-		{
-		// This is a partial connection - set up the
-		// initial sequence numbers as though we saw
-		// a SYN, to keep the relative byte numbering
-		// consistent.
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq - 1;
-		endpoint->InitAckSeq(base_seq - 1);
-		endpoint->InitStartSeq(base_seq - 1);
-		}
-
-	// ## endpoint->last_seq = last_seq;
-	endpoint->InitLastSeq(last_seq);
-	endpoint->start_time = t;
-	}
-
-int TCP_Analyzer::UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
-					TCP_Flags flags)
-	{
-	int delta_last = seq_delta(last_seq, endpoint->LastSeq());
-
-	if ( (flags.SYN() || flags.RST()) &&
-	     (delta_last > TOO_LARGE_SEQ_DELTA ||
-	      delta_last < -TOO_LARGE_SEQ_DELTA) )
-		// ### perhaps trust RST seq #'s if initial and not too
-		// outlandish, but not if they're coming after the other
-		// side has sent a FIN - trust the FIN ack instead
-		;
-
-	else if ( flags.FIN() &&
-		  endpoint->LastSeq() == endpoint->StartSeq() + 1 )
-		// Update last_seq based on the FIN even if delta_last < 0.
-		// This is to accommodate > 2 GB connections for which
-		// we've only seen the SYN and the FIN (hence the check
-		// for last_seq == start_seq + 1).
-		endpoint->UpdateLastSeq(last_seq);
-
-	else if ( endpoint->state == TCP_ENDPOINT_RESET )
-		// don't trust any subsequent sequence numbers
-		;
-
-	else if ( delta_last > 0 )
-		// ### check for large jumps here.
-		// ## endpoint->last_seq = last_seq;
-		endpoint->UpdateLastSeq(last_seq);
-
-	else if ( delta_last <= 0 )
-		{ // ### ++retransmit, unless this is a pure ack
-		}
-
-	return delta_last;
-	}
-
-void TCP_Analyzer::ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 ack_seq, int is_orig,
-				TCP_Flags flags)
-	{
-	if ( is_orig && ! seen_first_ACK &&
-	     (endpoint->state == TCP_ENDPOINT_ESTABLISHED ||
-	      endpoint->state == TCP_ENDPOINT_SYN_SENT) )
-		{
-		seen_first_ACK = 1;
-		Event(connection_first_ACK);
-		}
-
-	if ( peer->state == TCP_ENDPOINT_INACTIVE )
-		{
-		if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() )
-			{
-			if ( endpoint->state == TCP_ENDPOINT_SYN_SENT ||
-			     endpoint->state == TCP_ENDPOINT_SYN_ACK_SENT ||
-			     endpoint->state == TCP_ENDPOINT_ESTABLISHED )
-				{
-				// We've already sent a SYN, but that
-				// hasn't roused the other end, yet we're
-				// ack'ing their data.
-
-				if ( ! Conn()->DidWeird() )
-					Weird("possible_split_routing");
-				}
-			}
-
-		// Start the sequence numbering as if there was an initial
-		// SYN, so the relative numbering of subsequent data packets
-		// stays consistent.
-		// ## peer->start_seq = peer->AckSeq() = peer->last_seq =
-		// ## 	ack_seq - 1;
-		peer->InitStartSeq(ack_seq - 1);
-		peer->InitAckSeq(ack_seq - 1);
-		peer->InitLastSeq(ack_seq - 1);
-		}
-
-	else if ( ! flags.RST() )
-		{ // don't trust ack's in RST packets
-		int delta_ack = seq_delta(ack_seq, peer->AckSeq());
-		if ( ack_seq == 0 && delta_ack > TOO_LARGE_SEQ_DELTA )
-			// More likely that this is a broken ack than a
-			// large connection that happens to land on 0 in the
-			// sequence space.
-			;
-
-		else if ( delta_ack > 0 )
-			peer->UpdateAckSeq(ack_seq);
-		}
-
-	peer->AckReceived(ack_seq - peer->StartSeq());
-	}
-
-void TCP_Analyzer::UpdateInactiveState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			int len, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( is_orig )
-			{
-			if ( flags.ACK() )
-				{
-				Weird("connection_originator_SYN_ack");
-				endpoint->SetState(TCP_ENDPOINT_SYN_ACK_SENT);
-				}
-			else
-				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
-
-			if ( tcp_attempt_delay )
-				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
-					t + tcp_attempt_delay, 1,
-					TIMER_TCP_ATTEMPT);
-			}
-		else
-			{
-			if ( flags.ACK() )
-				{
-				if ( peer->state != TCP_ENDPOINT_INACTIVE &&
-				     peer->state != TCP_ENDPOINT_PARTIAL &&
-				     ! seq_between(ack_seq, peer->StartSeq(), peer->LastSeq()) )
-					Weird("bad_SYN_ack");
-				}
-
-			else if ( peer->state == TCP_ENDPOINT_SYN_ACK_SENT &&
-				  base_seq == endpoint->StartSeq() )
-				{
-				// This is a SYN/SYN-ACK reversal,
-				// per the discussion in IsReuse.
-				// Flip the endpoints and establish
-				// the connection.
-				is_partial = 0;
-				Conn()->FlipRoles();
-				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-				}
-
-			else
-				Weird("simultaneous_open");
-
-			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
-				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
-				{
-				// If we were to ignore SYNs and
-				// only instantiate state on SYN
-				// acks, then we'd do:
-				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
-				// here.
-				Weird("unsolicited_SYN_response");
-				}
-
-			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
-
-			if ( peer->state != TCP_ENDPOINT_PARTIAL )
-				{
-				Event(connection_established);
-				Conn()->EnableStatusUpdateTimer();
-				}
-			}
-		}
-
-	if ( flags.FIN() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-		do_close = gen_event = 1;
-		if ( peer->state != TCP_ENDPOINT_PARTIAL && ! flags.SYN() )
-			Weird("spontaneous_FIN");
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-
-		int is_reject = 0;
-
-		if ( is_orig )
-			{
-			// If our peer is established then we saw
-			// a SYN-ack but not SYN - so a reverse
-			// scan, and we should treat this as a
-			// reject.
-			if ( peer->state == TCP_ENDPOINT_ESTABLISHED )
-				is_reject = 1;
-			}
-
-		else if ( peer->state == TCP_ENDPOINT_SYN_SENT ||
-			  peer->state == TCP_ENDPOINT_SYN_ACK_SENT )
-			// We're rejecting an initial SYN.
-			is_reject = 1;
-
-		do_close = 1;
-		gen_event = ! is_reject;
-
-		if ( is_reject )
-			Event(connection_rejected);
-
-		else if ( peer->state == TCP_ENDPOINT_INACTIVE )
-			Weird("spontaneous_RST");
-		}
-
-	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
-		{ // No control flags to change the state.
-		if ( ! is_orig && len == 0 &&
-		     orig->state == TCP_ENDPOINT_SYN_SENT )
-			// Some eccentric TCP's will ack an initial
-			// SYN prior to sending a SYN reply (hello,
-			// ftp.microsoft.com).  For those, don't
-			// consider the ack as forming a partial
-			// connection.
-			;
-		else
-			{
-			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
-			Conn()->EnableStatusUpdateTimer();
-
-			if ( peer->state == TCP_ENDPOINT_PARTIAL )
-				// We've seen both sides of a partial
-				// connection, report it.
-				Event(partial_connection);
-			}
-		}
-	}
-
-void TCP_Analyzer::UpdateSYN_SentState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 last_seq,
-			int len, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( is_orig )
-			{
-			if ( flags.ACK() && ! flags.FIN() && ! flags.RST() &&
-			     endpoint->state != TCP_ENDPOINT_SYN_ACK_SENT )
-				Weird("repeated_SYN_with_ack");
-			}
-		else
-			{
-			if ( ! flags.ACK() &&
-			     endpoint->state != TCP_ENDPOINT_SYN_SENT )
-				Weird("repeated_SYN_reply_wo_ack");
-			}
-
-		if ( base_seq != endpoint->StartSeq() )
-			{
-			Weird("SYN_seq_jump");
-			// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-			// ## endpoint->last_seq = last_seq;
-			endpoint->InitStartSeq(base_seq);
-			endpoint->InitAckSeq(base_seq);
-			endpoint->InitLastSeq(last_seq);
-			}
-		}
-
-	if ( flags.FIN() )
-		{
-		if ( peer->state == TCP_ENDPOINT_INACTIVE ||
-		     peer->state == TCP_ENDPOINT_SYN_SENT )
-			Weird("inappropriate_FIN");
-
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-		do_close = gen_event = 1;
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-		ConnectionReset();
-		do_close = 1;
-		}
-
-	else if ( len > 0 )
-		Weird("data_before_established");
-	}
-
-void TCP_Analyzer::UpdateEstablishedState(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 last_seq,
-			int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	if ( flags.SYN() )
-		{
-		if ( endpoint->state == TCP_ENDPOINT_PARTIAL &&
-		     peer->state == TCP_ENDPOINT_INACTIVE && ! flags.ACK() )
-			{
-			Weird("SYN_after_partial");
-			endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
-			}
-
-		if ( endpoint->Size() > 0 )
-			Weird("SYN_inside_connection");
-
-		if ( base_seq != endpoint->StartSeq() )
-			Weird("SYN_seq_jump");
-
-		// Make a guess that somehow the connection didn't
-		// get established, and this SYN will be the
-		// one that actually sets it up.
-		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
-		// ## endpoint->last_seq = last_seq;
-		endpoint->InitStartSeq(base_seq);
-		endpoint->InitAckSeq(base_seq);
-		endpoint->InitLastSeq(last_seq);
-		}
-
-	if ( flags.FIN() && ! flags.RST() )	// ###
-		{ // should check sequence/ack numbers here ###
-		endpoint->SetState(TCP_ENDPOINT_CLOSED);
-
-		if ( peer->state == TCP_ENDPOINT_RESET &&
-		     peer->prev_state == TCP_ENDPOINT_CLOSED )
-			// The peer sent a FIN followed by a RST.
-			// Turn it back into CLOSED state, because
-			// this was actually normal termination.
-			peer->SetState(TCP_ENDPOINT_CLOSED);
-
-		do_close = gen_event = 1;
-		}
-
-	if ( flags.RST() )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-		do_close = 1;
-
-		if ( peer->state != TCP_ENDPOINT_RESET ||
-		     peer->prev_state != TCP_ENDPOINT_ESTABLISHED )
-			ConnectionReset();
-		}
-	}
-
-void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
-				int delta_last, TCP_Flags flags, int& do_close)
-	{
-	if ( flags.SYN() )
-		Weird("SYN_after_close");
-
-	if ( flags.FIN() && delta_last > 0 )
-		// Probably should also complain on FIN recision.
-		// That requires an extra state variable to avoid
-		// generating slews of weird's when a TCP gets
-		// seriously confused (this from experience).
-		Weird("FIN_advanced_last_seq");
-
-	// Previously, our state was CLOSED, since we sent a FIN.
-	// If our peer was also closed, then don't change our state
-	// now on a RST, since this connection has already seen a FIN
-	// exchange.
-	if ( flags.RST() && endpoint->peer->state != TCP_ENDPOINT_CLOSED )
-		{
-		endpoint->SetState(TCP_ENDPOINT_RESET);
-
-		if ( ! endpoint->did_close )
-			// RST after FIN.
-			do_close = 1;
-
-		if ( connection_reset )
-			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
-					t + tcp_reset_delay, 1,
-					TIMER_TCP_RESET);
-		}
-	}
-
-void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags,
-                                    TCP_Endpoint* endpoint, uint32 base_seq,
-                                    uint32 last_seq)
-	{
-	if ( flags.SYN() )
-		{
-		Weird("SYN_after_reset");
-
-		if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE )
-			{
-			// Seq. numbers were initialized by a RST packet from this endpoint,
-			// but now that a SYN is seen from it, that could mean the earlier
-			// RST was spoofed/injected, so re-initialize.  This mostly just
-			// helps prevent misrepresentations of payload sizes that are based
-			// on bad initial sequence values.
-			endpoint->InitStartSeq(base_seq);
-			endpoint->InitAckSeq(base_seq);
-			endpoint->InitLastSeq(last_seq);
-			}
-		}
-
-	if ( flags.FIN() )
-		Weird("FIN_after_reset");
-
-	if ( len > 0 && ! flags.RST() )
-		Weird("data_after_reset");
-	}
-
-void TCP_Analyzer::UpdateStateMachine(double t,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
-			int len, int delta_last, int is_orig, TCP_Flags flags,
-			int& do_close, int& gen_event)
-	{
-	do_close = 0;	// whether to report the connection as closed
-	gen_event = 0;	// if so, whether to generate an event
-
-	switch ( endpoint->state ) {
-
-	case TCP_ENDPOINT_INACTIVE:
-		UpdateInactiveState(t, endpoint, peer, base_seq, ack_seq,
-					len, is_orig, flags,
-					do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_SYN_SENT:
-	case TCP_ENDPOINT_SYN_ACK_SENT:
-		UpdateSYN_SentState(t, endpoint, peer, base_seq, last_seq,
-					len, is_orig, flags,
-					do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_ESTABLISHED:
-	case TCP_ENDPOINT_PARTIAL:
-		UpdateEstablishedState(t, endpoint, peer, base_seq, last_seq,
-					is_orig, flags, do_close, gen_event);
-		break;
-
-	case TCP_ENDPOINT_CLOSED:
-		UpdateClosedState(t, endpoint, delta_last, flags, do_close);
-		break;
-
-	case TCP_ENDPOINT_RESET:
-		UpdateResetState(len, flags, endpoint, base_seq, last_seq);
-		break;
-	}
-	}
-
-void TCP_Analyzer::GeneratePacketEvent(TCP_Endpoint* endpoint,
-					TCP_Endpoint* peer,
-					uint32 base_seq, uint32 ack_seq,
-					const u_char* data, int len, int caplen,
-					int is_orig, TCP_Flags flags)
-	{
-	char tcp_flags[256];
-	int tcp_flag_len = 0;
-
-	if ( flags.SYN() ) tcp_flags[tcp_flag_len++] = 'S';
-	if ( flags.FIN() ) tcp_flags[tcp_flag_len++] = 'F';
-	if ( flags.RST() ) tcp_flags[tcp_flag_len++] = 'R';
-	if ( flags.ACK() ) tcp_flags[tcp_flag_len++] = 'A';
-	if ( flags.PUSH() ) tcp_flags[tcp_flag_len++] = 'P';
-	if ( flags.URG() ) tcp_flags[tcp_flag_len++] = 'U';
-
-	tcp_flags[tcp_flag_len] = '\0';
-
-	val_list* vl = new val_list();
-
-	vl->append(BuildConnVal());
-	vl->append(new Val(is_orig, TYPE_BOOL));
-	vl->append(new StringVal(tcp_flags));
-	vl->append(new Val(base_seq - endpoint->StartSeq(), TYPE_COUNT));
-	vl->append(new Val(flags.ACK() ?
-			ack_seq - peer->StartSeq() : 0, TYPE_COUNT));
-	vl->append(new Val(len, TYPE_COUNT));
-
-	// We need the min() here because Ethernet padding can lead to
-	// caplen > len.
-	vl->append(new StringVal(min(caplen, len), (const char*) data));
-
-	ConnectionEvent(tcp_packet, vl);
-	}
-
-int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
-				const IP_Hdr* ip, const struct tcphdr* tp,
-				TCP_Endpoint* endpoint, uint32 base_seq,
-				int is_orig, TCP_Flags flags)
-	{
-	int data_seq = base_seq - endpoint->StartSeq();
-	if ( flags.SYN() )
-		++data_seq;	// skip over SYN octet
-
-	int need_contents = endpoint->DataSent(t, data_seq,
-					len, caplen, data, ip, tp);
-
-	return need_contents;
-	}
-
-void TCP_Analyzer::CheckRecording(int need_contents, TCP_Flags flags)
-	{
-	bool record_current_content = need_contents || Conn()->RecordContents();
-	bool record_current_packet =
-		Conn()->RecordPackets() ||
-		flags.SYN() || flags.FIN() || flags.RST();
-
-	Conn()->SetRecordCurrentContent(record_current_content);
-	Conn()->SetRecordCurrentPacket(record_current_packet);
-	}
-
-void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip)
-	{
-	if ( is_orig && ! (first_packet_seen & ORIG) )
-		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
-		if ( pia )
-			pia->FirstPacket(is_orig, ip);
-		first_packet_seen |= ORIG;
-		}
-
-	if ( ! is_orig && ! (first_packet_seen & RESP) )
-		{
-		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
-		if ( pia )
-			pia->FirstPacket(is_orig, ip);
-		first_packet_seen |= RESP;
-		}
-	}
-
-void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
-	{
-	TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	const struct tcphdr* tp = ExtractTCP_Header(data, len, caplen);
-	if ( ! tp )
-		return;
-
-	// We need the min() here because Ethernet frame padding can lead to
-	// caplen > len.
-	if ( packet_contents )
-		PacketContents(data, min(len, caplen));
-
-	TCP_Endpoint* endpoint = is_orig ? orig : resp;
-	TCP_Endpoint* peer = endpoint->peer;
-
-	if ( ! ValidateChecksum(tp, endpoint, len, caplen) )
-		return;
-
-	TCP_Flags flags(tp);
-
-	uint32 base_seq = ntohl(tp->th_seq);
-	uint32 ack_seq = ntohl(tp->th_ack);
-
-	CheckFlagCombos(flags, endpoint, base_seq, len, ntohs(tp->th_dport));
-
-	UpdateWindow(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags);
-
-	double t = current_timestamp;
-
-	if ( ! orig->did_close || ! resp->did_close )
-		Conn()->SetLastTime(t);
-
-	const IPAddr orig_addr = Conn()->OrigAddr();
-
-	uint32 tcp_hdr_len = data - (const u_char*) tp;
-
-	int seq_len = len;	// length in terms of sequence space
-
-	ProcessFlags(t, ip, tp, tcp_hdr_len, len, seq_len, endpoint, peer, base_seq,
-	             ack_seq, orig_addr, is_orig, flags);
-
-	uint32 last_seq = base_seq + seq_len;
-
-	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
-		TransitionFromInactive(t, endpoint, base_seq, last_seq,
-					flags.SYN());
-
-	int delta_last = UpdateLastSeq(endpoint, last_seq, flags);
-
-	endpoint->last_time = t;
-
-	int do_close;
-	int gen_event;
-	UpdateStateMachine(t, endpoint, peer, base_seq, ack_seq, last_seq,
-				len, delta_last, is_orig, flags,
-				do_close, gen_event);
-
-	if ( tcp_packet )
-		GeneratePacketEvent(endpoint, peer, base_seq, ack_seq,
-					data, len, caplen, is_orig, flags);
-
-	if ( tcp_option && tcp_hdr_len > sizeof(*tp) &&
-	     tcp_hdr_len <= uint32(caplen) )
-		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
-
-	if ( DEBUG_tcp_data_sent )
-		{
-		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
-			  network_time, len, caplen, Skipping());
-		}
-
-	int need_contents = 0;
-	if ( len > 0 && (caplen >= len || packet_children.size()) &&
-	     ! flags.RST() && ! Skipping() )
-		need_contents = DeliverData(t, data, len, caplen, ip, tp,
-						endpoint, base_seq,
-						is_orig, flags);
-
-	endpoint->CheckEOF();
-
-	if ( do_close )
-		{
-		// We need to postpone doing this until after we process
-		// DataSent, so we don't generate a connection_finished event
-		// until after data perhaps included with the FIN is processed.
-		ConnectionClosed(endpoint, peer, gen_event);
-		}
-
-	CheckRecording(need_contents, flags);
-
-	// Handle child_packet analyzers.  Note: This happens *after* the
-	// packet has been processed and the TCP state updated.
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->NextPacket(len, data, is_orig,
-				base_seq - endpoint->StartSeq(), ip, caplen);
-
-	if ( ! reassembling )
-		ForwardPacket(len, data, is_orig,
-				base_seq - endpoint->StartSeq(), ip, caplen);
-
-	CheckPIA_FirstPacket(is_orig, ip);
-	}
-
-void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	Analyzer::DeliverStream(len, data, orig);
-	}
-
-void TCP_Analyzer::Undelivered(int seq, int len, bool is_orig)
-	{
-	Analyzer::Undelivered(seq, len, orig);
-	}
-
-void TCP_Analyzer::FlipRoles()
-	{
-	Analyzer::FlipRoles();
-
-	sessions->tcp_stats.FlipState(orig->state, resp->state);
-	TCP_Endpoint* tmp_ep = resp;
-	resp = orig;
-	orig = tmp_ep;
-	orig->is_orig = !orig->is_orig;
-	resp->is_orig = !resp->is_orig;
-	}
-
-void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
-	{
-	RecordVal *orig_endp_val = conn_val->Lookup("orig")->AsRecordVal();
-	RecordVal *resp_endp_val = conn_val->Lookup("resp")->AsRecordVal();
-
-	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
-	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
-	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
-	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
-
-	// Call children's UpdateConnVal
-	Analyzer::UpdateConnVal(conn_val);
-
-	// Have to do packet_children ourselves.
-	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
-		(*i)->UpdateConnVal(conn_val);
-	}
-
-Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
-					const struct tcphdr* tcp)
+static RecordVal* build_syn_packet_val(int is_orig, const IP_Hdr* ip,
+                                       const struct tcphdr* tcp)
 	{
 	int winscale = -1;
 	int MSS = 0;
@@ -1195,8 +115,8 @@ Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
 	return v;
 	}
 
-RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
-			const struct tcphdr* tcp, uint32 tcp_hdr_len)
+static RecordVal* build_os_val(int is_orig, const IP_Hdr* ip,
+                               const struct tcphdr* tcp, uint32 tcp_hdr_len)
 	{
 	if ( ! is_orig )
 		// Later we might use SYN-ACK fingerprinting here.
@@ -1361,6 +281,1134 @@ RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
 	return 0;
 	}
 
+
+static void passive_fingerprint(TCP_Analyzer* tcp, bool is_orig,
+                                const IP_Hdr* ip, const struct tcphdr* tp,
+                                uint32 tcp_hdr_len)
+	{
+	// is_orig will be removed once we can do SYN-ACK fingerprinting
+	if ( OS_version_found && is_orig )
+		{
+		const IPAddr& orig_addr = tcp->Conn()->OrigAddr();
+		AddrVal* src_addr_val = new AddrVal(orig_addr);
+
+		if ( generate_OS_version_event->Size() == 0 ||
+		     generate_OS_version_event->Lookup(src_addr_val) )
+			{
+			RecordVal* OS_val = build_os_val(is_orig, ip, tp, tcp_hdr_len);
+
+			if ( OS_val )
+				{ // found new OS version
+				val_list* vl = new val_list;
+				vl->append(tcp->BuildConnVal());
+				vl->append(src_addr_val->Ref());
+				vl->append(OS_val);
+				tcp->ConnectionEvent(OS_version_found, vl);
+				}
+			}
+
+		Unref(src_addr_val);
+		}
+	}
+
+TCP_Analyzer::TCP_Analyzer(Connection* conn)
+: TransportLayerAnalyzer("TCP", conn)
+	{
+	// Set a timer to eventually time out this connection.
+	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
+				network_time + tcp_SYN_timeout, 0,
+				TIMER_TCP_EXPIRE);
+
+	deferred_gen_event = close_deferred = 0;
+
+	seen_first_ACK = 0;
+	is_active = 1;
+	finished = 0;
+	reassembling = 0;
+	first_packet_seen = 0;
+	is_partial = 0;
+
+	orig = new TCP_Endpoint(this, 1);
+	resp = new TCP_Endpoint(this, 0);
+
+	orig->SetPeer(resp);
+	resp->SetPeer(orig);
+	}
+
+TCP_Analyzer::~TCP_Analyzer()
+	{
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		delete *i;
+
+	delete orig;
+	delete resp;
+	}
+
+void TCP_Analyzer::Init()
+	{
+	Analyzer::Init();
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Init();
+	}
+
+void TCP_Analyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( connection_pending && is_active && ! BothClosed() )
+		Event(connection_pending);
+
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Done();
+
+	orig->Done();
+	resp->Done();
+
+	finished = 1;
+	}
+
+void TCP_Analyzer::EnableReassembly()
+	{
+	SetReassembler(new TCP_Reassembler(this, this,
+	                                   TCP_Reassembler::Forward, orig),
+	               new TCP_Reassembler(this, this,
+	                                   TCP_Reassembler::Forward, resp));
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
+					TCP_Reassembler* rresp)
+	{
+	orig->AddReassembler(rorig);
+	rorig->SetDstAnalyzer(this);
+	resp->AddReassembler(rresp);
+	rresp->SetDstAnalyzer(this);
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
+							int& len, int& caplen)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) data;
+	uint32 tcp_hdr_len = tp->th_off * 4;
+
+	if ( tcp_hdr_len < sizeof(struct tcphdr) )
+		{
+		Weird("bad_TCP_header_len");
+		return 0;
+		}
+
+	if ( tcp_hdr_len > uint32(len) ||
+	     sizeof(struct tcphdr) > uint32(caplen) )
+		{
+		// This can happen even with the above test, due to TCP
+		// options.
+		Weird("truncated_header");
+		return 0;
+		}
+
+	len -= tcp_hdr_len;	// remove TCP header
+	caplen -= tcp_hdr_len;
+	data += tcp_hdr_len;
+
+	return tp;
+	}
+
+bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, int len, int caplen)
+	{
+	if ( ! ignore_checksums && caplen >= len &&
+	     ! endpoint->ValidChecksum(tp, len) )
+		{
+		Weird("bad_TCP_checksum");
+		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
+		return false;
+		}
+	else
+		return true;
+	}
+
+void TCP_Analyzer::SetPartialStatus(TCP_Flags flags, bool is_orig)
+	{
+	if ( is_orig )
+		{
+		if ( ! (first_packet_seen & ORIG) )
+			is_partial = ! flags.SYN() || flags.ACK();
+		}
+	else
+		{
+		if ( ! (first_packet_seen & RESP) && ! is_partial )
+			is_partial = ! flags.SYN();
+		}
+	}
+
+static void update_history(TCP_Flags flags, TCP_Endpoint* endpoint,
+                          uint64 rel_seq, int len)
+	{
+	int bits_set = (flags.SYN() ? 1 : 0) + (flags.FIN() ? 1 : 0) +
+			(flags.RST() ? 1 : 0);
+	if ( bits_set > 1 )
+		{
+		if ( flags.FIN() && flags.RST() )
+			endpoint->CheckHistory(HIST_FIN_RST_PKT, 'I');
+		else
+			endpoint->CheckHistory(HIST_MULTI_FLAG_PKT, 'Q');
+		}
+
+	else if ( bits_set == 1 )
+		{
+		if ( flags.SYN() )
+			{
+			char code = flags.ACK() ? 'H' : 'S';
+
+			if ( endpoint->CheckHistory(HIST_SYN_PKT, code) &&
+			     rel_seq != endpoint->hist_last_SYN )
+				endpoint->AddHistory(code);
+
+			endpoint->hist_last_SYN = rel_seq;
+			}
+
+		if ( flags.FIN() )
+			{
+			// For FIN's, the sequence number comes at the
+			// end of (any data in) the packet, not the
+			// beginning as for SYNs and RSTs.
+			if ( endpoint->CheckHistory(HIST_FIN_PKT, 'F') &&
+			     rel_seq + len != endpoint->hist_last_FIN )
+				endpoint->AddHistory('F');
+
+			endpoint->hist_last_FIN = rel_seq + len;
+			}
+
+		if ( flags.RST() )
+			{
+			if ( endpoint->CheckHistory(HIST_RST_PKT, 'R') &&
+			     rel_seq != endpoint->hist_last_RST )
+				endpoint->AddHistory('R');
+
+			endpoint->hist_last_RST = rel_seq;
+			}
+		}
+
+	else
+		{ // bits_set == 0
+		if ( len )
+			endpoint->CheckHistory(HIST_DATA_PKT, 'D');
+
+		else if ( flags.ACK() )
+			endpoint->CheckHistory(HIST_ACK_PKT, 'A');
+		}
+	}
+
+static void init_window(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+                        TCP_Flags flags, bro_int_t scale, uint32 base_seq,
+                        uint32 ack_seq)
+	{
+	// ### In the following, we could be fooled by an
+	// inconsistent SYN retransmission.  Where's a normalizer
+	// when you need one?
+
+	if ( scale < 0 )
+		{ // no window scaling option
+		if ( flags.ACK() )
+			{ // window scaling not negotiated
+			endpoint->window_scale = 0;
+			peer->window_scale = 0;
+			}
+		else
+			// We're not offering window scaling.
+			// Ideally, we'd remember this fact so that
+			// if the SYN/ACK *does* include window
+			// scaling, we know it won't be negotiated.
+			// But it's a pain to track that, and hard
+			// to see how an adversarial responder could
+			// use it to evade.  Also, if we *do* want
+			// to track it, we could do so using
+			// connection_SYN_packet.
+			endpoint->window_scale = 0;
+		}
+	else
+		{
+		endpoint->window_scale = scale;
+		endpoint->window_seq = base_seq;
+		endpoint->window_ack_seq = ack_seq;
+
+		peer->window_seq = ack_seq;
+		peer->window_ack_seq = base_seq;
+		}
+	}
+
+static void update_window(TCP_Endpoint* endpoint, unsigned int window,
+                          uint32 base_seq, uint32 ack_seq, TCP_Flags flags)
+	{
+	// Note, the offered window on an initial SYN is unscaled, even
+	// if the SYN includes scaling, so we need to do the following
+	// test *before* updating the scaling information below.  (Hmmm,
+	// how does this work for windows on SYN/ACKs? ###)
+	int scale = endpoint->window_scale;
+	window = window << scale;
+
+	// Don't analyze window values off of SYNs, they're sometimes
+	// immediately rescinded.
+	if ( ! flags.SYN() )
+		{
+		// ### Decide whether to accept new window based on Active
+		// Mapping policy.
+		if ( seq_delta(base_seq, endpoint->window_seq) >= 0 &&
+		     seq_delta(ack_seq, endpoint->window_ack_seq) >= 0 )
+			{
+			uint32 new_edge = ack_seq + window;
+			uint32 old_edge = endpoint->window_ack_seq + endpoint->window;
+			int32 advance = seq_delta(new_edge, old_edge);
+
+			if ( advance < 0 )
+				{
+				// A window recision.  We don't report these
+				// for FINs or RSTs, or if the connection
+				// has already been partially closed, since
+				// such recisions occur frequently in practice,
+				// probably as the receiver loses buffer memory
+				// due to its process going away.
+				//
+				// We also, for window scaling, allow a bit
+				// of slop ###.  This is because sometimes
+				// there will be an apparent recision due
+				// to the granularity of the scaling.
+				if ( ! flags.FIN() && ! flags.RST() &&
+				     endpoint->state != TCP_ENDPOINT_CLOSED &&
+				     endpoint->state != TCP_ENDPOINT_RESET &&
+				     (-advance) >= (1 << scale) )
+					endpoint->Conn()->Weird("window_recision");
+				}
+
+			endpoint->window = window;
+			endpoint->window_ack_seq = ack_seq;
+			endpoint->window_seq = base_seq;
+			}
+		}
+	}
+
+static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len)
+	{
+	if ( flags.RST() )
+		endpoint->Conn()->Weird("TCP_christmas");
+
+	if ( flags.URG() )
+		endpoint->Conn()->Weird("baroque_SYN");
+
+	if ( data_len > 0 )
+		// Not technically wrong according to RFC 793, but the other side
+		// would be forced to buffer data until the handshake succeeds, and
+		// that could be bad in some cases, e.g. SYN floods.
+		// T/TCP definitely complicates this.
+		endpoint->Conn()->Weird("SYN_with_data");
+	}
+
+void TCP_Analyzer::UpdateInactiveState(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() )
+				{
+				Weird("connection_originator_SYN_ack");
+				endpoint->SetState(TCP_ENDPOINT_SYN_ACK_SENT);
+				}
+			else
+				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+
+			if ( tcp_attempt_delay )
+				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
+					t + tcp_attempt_delay, 1,
+					TIMER_TCP_ATTEMPT);
+			}
+		else
+			{
+			if ( flags.ACK() )
+				{
+				if ( peer->state != TCP_ENDPOINT_INACTIVE &&
+				     peer->state != TCP_ENDPOINT_PARTIAL &&
+				     ! seq_between(ack_seq, peer->StartSeq(), peer->LastSeq()) )
+					Weird("bad_SYN_ack");
+				}
+
+			else if ( peer->state == TCP_ENDPOINT_SYN_ACK_SENT &&
+				  base_seq == endpoint->StartSeq() )
+				{
+				// This is a SYN/SYN-ACK reversal,
+				// per the discussion in IsReuse.
+				// Flip the endpoints and establish
+				// the connection.
+				is_partial = 0;
+				Conn()->FlipRoles();
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				}
+
+			else
+				Weird("simultaneous_open");
+
+			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+				{
+				// If we were to ignore SYNs and
+				// only instantiate state on SYN
+				// acks, then we'd do:
+				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				// here.
+				Weird("unsolicited_SYN_response");
+				}
+
+			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
+
+			if ( peer->state != TCP_ENDPOINT_PARTIAL )
+				{
+				Event(connection_established);
+				Conn()->EnableStatusUpdateTimer();
+				}
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		if ( peer->state != TCP_ENDPOINT_PARTIAL && ! flags.SYN() )
+			Weird("spontaneous_FIN");
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		int is_reject = 0;
+
+		if ( is_orig )
+			{
+			// If our peer is established then we saw
+			// a SYN-ack but not SYN - so a reverse
+			// scan, and we should treat this as a
+			// reject.
+			if ( peer->state == TCP_ENDPOINT_ESTABLISHED )
+				is_reject = 1;
+			}
+
+		else if ( peer->state == TCP_ENDPOINT_SYN_SENT ||
+			  peer->state == TCP_ENDPOINT_SYN_ACK_SENT )
+			// We're rejecting an initial SYN.
+			is_reject = 1;
+
+		do_close = 1;
+		gen_event = ! is_reject;
+
+		if ( is_reject )
+			Event(connection_rejected);
+
+		else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+			Weird("spontaneous_RST");
+		}
+
+	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
+		{ // No control flags to change the state.
+		if ( ! is_orig && len == 0 &&
+		     orig->state == TCP_ENDPOINT_SYN_SENT )
+			// Some eccentric TCP's will ack an initial
+			// SYN prior to sending a SYN reply (hello,
+			// ftp.microsoft.com).  For those, don't
+			// consider the ack as forming a partial
+			// connection.
+			;
+		else
+			{
+			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
+			Conn()->EnableStatusUpdateTimer();
+
+			if ( peer->state == TCP_ENDPOINT_PARTIAL )
+				// We've seen both sides of a partial
+				// connection, report it.
+				Event(partial_connection);
+			}
+		}
+	}
+
+void TCP_Analyzer::UpdateSYN_SentState(
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() && ! flags.FIN() && ! flags.RST() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_ACK_SENT )
+				Weird("repeated_SYN_with_ack");
+			}
+		else
+			{
+			if ( ! flags.ACK() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_SENT )
+				Weird("repeated_SYN_reply_wo_ack");
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		if ( peer->state == TCP_ENDPOINT_INACTIVE ||
+		     peer->state == TCP_ENDPOINT_SYN_SENT )
+			Weird("inappropriate_FIN");
+
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		ConnectionReset();
+		do_close = 1;
+		}
+
+	else if ( len > 0 )
+		Weird("data_before_established");
+	}
+
+void TCP_Analyzer::UpdateEstablishedState(
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			TCP_Flags flags, int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( endpoint->state == TCP_ENDPOINT_PARTIAL &&
+		     peer->state == TCP_ENDPOINT_INACTIVE && ! flags.ACK() )
+			{
+			Weird("SYN_after_partial");
+			endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+			}
+		}
+
+	if ( flags.FIN() && ! flags.RST() )	// ###
+		{ // should check sequence/ack numbers here ###
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+
+		if ( peer->state == TCP_ENDPOINT_RESET &&
+		     peer->prev_state == TCP_ENDPOINT_CLOSED )
+			// The peer sent a FIN followed by a RST.
+			// Turn it back into CLOSED state, because
+			// this was actually normal termination.
+			peer->SetState(TCP_ENDPOINT_CLOSED);
+
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		do_close = 1;
+
+		if ( peer->state != TCP_ENDPOINT_RESET ||
+		     peer->prev_state != TCP_ENDPOINT_ESTABLISHED )
+			ConnectionReset();
+		}
+	}
+
+void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
+				int32 delta_last, TCP_Flags flags, int& do_close)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_close");
+
+	if ( flags.FIN() && delta_last > 0 )
+		// Probably should also complain on FIN recision.
+		// That requires an extra state variable to avoid
+		// generating slews of weird's when a TCP gets
+		// seriously confused (this from experience).
+		Weird("FIN_advanced_last_seq");
+
+	// Previously, our state was CLOSED, since we sent a FIN.
+	// If our peer was also closed, then don't change our state
+	// now on a RST, since this connection has already seen a FIN
+	// exchange.
+	if ( flags.RST() && endpoint->peer->state != TCP_ENDPOINT_CLOSED )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		if ( ! endpoint->did_close )
+			// RST after FIN.
+			do_close = 1;
+
+		if ( connection_reset )
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
+					t + tcp_reset_delay, 1,
+					TIMER_TCP_RESET);
+		}
+	}
+
+void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_reset");
+
+	if ( flags.FIN() )
+		Weird("FIN_after_reset");
+
+	if ( len > 0 && ! flags.RST() )
+		Weird("data_after_reset");
+	}
+
+void TCP_Analyzer::UpdateStateMachine(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int32 delta_last, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	do_close = 0;	// whether to report the connection as closed
+	gen_event = 0;	// if so, whether to generate an event
+
+	switch ( endpoint->state ) {
+
+	case TCP_ENDPOINT_INACTIVE:
+		UpdateInactiveState(t, endpoint, peer, base_seq, ack_seq,
+					len, is_orig, flags,
+					do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_SYN_SENT:
+	case TCP_ENDPOINT_SYN_ACK_SENT:
+		UpdateSYN_SentState(endpoint, peer, len, is_orig, flags, do_close,
+		                    gen_event);
+		break;
+
+	case TCP_ENDPOINT_ESTABLISHED:
+	case TCP_ENDPOINT_PARTIAL:
+		UpdateEstablishedState(endpoint, peer, flags, do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_CLOSED:
+		UpdateClosedState(t, endpoint, delta_last, flags, do_close);
+		break;
+
+	case TCP_ENDPOINT_RESET:
+		UpdateResetState(len, flags);
+		break;
+	}
+	}
+
+void TCP_Analyzer::GeneratePacketEvent(
+					uint64 rel_seq, uint64 rel_ack,
+					const u_char* data, int len, int caplen,
+					int is_orig, TCP_Flags flags)
+	{
+	char tcp_flags[256];
+	int tcp_flag_len = 0;
+
+	if ( flags.SYN() ) tcp_flags[tcp_flag_len++] = 'S';
+	if ( flags.FIN() ) tcp_flags[tcp_flag_len++] = 'F';
+	if ( flags.RST() ) tcp_flags[tcp_flag_len++] = 'R';
+	if ( flags.ACK() ) tcp_flags[tcp_flag_len++] = 'A';
+	if ( flags.PUSH() ) tcp_flags[tcp_flag_len++] = 'P';
+	if ( flags.URG() ) tcp_flags[tcp_flag_len++] = 'U';
+
+	tcp_flags[tcp_flag_len] = '\0';
+
+	val_list* vl = new val_list();
+
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new StringVal(tcp_flags));
+	vl->append(new Val(rel_seq, TYPE_COUNT));
+	vl->append(new Val(flags.ACK() ? rel_ack : 0, TYPE_COUNT));
+	vl->append(new Val(len, TYPE_COUNT));
+
+	// We need the min() here because Ethernet padding can lead to
+	// caplen > len.
+	vl->append(new StringVal(min(caplen, len), (const char*) data));
+
+	ConnectionEvent(tcp_packet, vl);
+	}
+
+int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
+				const IP_Hdr* ip, const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, uint64 rel_data_seq,
+				int is_orig, TCP_Flags flags)
+	{
+	return endpoint->DataSent(t, rel_data_seq, len, caplen, data, ip, tp);
+	}
+
+void TCP_Analyzer::CheckRecording(int need_contents, TCP_Flags flags)
+	{
+	bool record_current_content = need_contents || Conn()->RecordContents();
+	bool record_current_packet =
+		Conn()->RecordPackets() ||
+		flags.SYN() || flags.FIN() || flags.RST();
+
+	Conn()->SetRecordCurrentContent(record_current_content);
+	Conn()->SetRecordCurrentPacket(record_current_packet);
+	}
+
+void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip)
+	{
+	if ( is_orig && ! (first_packet_seen & ORIG) )
+		{
+		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= ORIG;
+		}
+
+	if ( ! is_orig && ! (first_packet_seen & RESP) )
+		{
+		pia::PIA_TCP* pia = static_cast<pia::PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= RESP;
+		}
+	}
+
+static uint64 get_relative_seq(const TCP_Endpoint* endpoint,
+                               uint32 cur_base, uint32 last, uint32 wraps,
+                               bool* underflow = 0)
+	{
+	int32 delta = seq_delta(cur_base, last);
+
+	if ( delta < 0 )
+		{
+		if ( wraps && cur_base > last )
+			// Seems to be a part of a previous 32-bit sequence space.
+			--wraps;
+		}
+	else if ( delta > 0 )
+		{
+		if ( cur_base < last )
+			// The sequence space wrapped around.
+			++wraps;
+		}
+
+	if ( wraps == 0 )
+		{
+		delta = seq_delta(cur_base, endpoint->StartSeq());
+
+		if ( underflow && delta < 0 )
+			*underflow = true;
+
+		return delta;
+		}
+
+	return endpoint->ToRelativeSeqSpace(cur_base, wraps);
+	}
+
+static int get_segment_len(int payload_len, TCP_Flags flags)
+	{
+	int seg_len = payload_len;
+
+	if ( flags.SYN() )
+		// SYN consumes a byte of sequence space.
+		++seg_len;
+
+	if ( flags.FIN() )
+		// FIN consumes a bytes of sequence space.
+		++seg_len;
+
+	if ( flags.RST() )
+		// Don't include the data in the computation of
+		// the sequence space for this connection, as
+		// it's not in fact part of the TCP stream.
+		seg_len -= payload_len;
+
+	return seg_len;
+	}
+
+static void init_endpoint(TCP_Endpoint* endpoint, TCP_Flags flags,
+                          uint32 first_seg_seq, uint32 last_seq, double t)
+	{
+	switch ( endpoint->state ) {
+	case TCP_ENDPOINT_INACTIVE:
+		if ( flags.SYN() )
+			{
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitStartSeq(first_seg_seq);
+			}
+		else
+			{
+			// This is a partial connection - set up the initial sequence
+			// numbers as though we saw a SYN, to keep the relative byte
+			// numbering consistent.
+			endpoint->InitAckSeq(first_seg_seq - 1);
+			endpoint->InitStartSeq(first_seg_seq - 1);
+			}
+
+		endpoint->InitLastSeq(last_seq);
+		endpoint->start_time = t;
+		break;
+
+	case TCP_ENDPOINT_SYN_SENT:
+	case TCP_ENDPOINT_SYN_ACK_SENT:
+		if ( flags.SYN() && first_seg_seq != endpoint->StartSeq() )
+			{
+			endpoint->Conn()->Weird("SYN_seq_jump");
+			endpoint->InitStartSeq(first_seg_seq);
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitLastSeq(last_seq);
+			}
+		break;
+
+	case TCP_ENDPOINT_ESTABLISHED:
+	case TCP_ENDPOINT_PARTIAL:
+		if ( flags.SYN() )
+			{
+			if ( endpoint->Size() > 0 )
+				endpoint->Conn()->Weird("SYN_inside_connection");
+
+			if ( first_seg_seq != endpoint->StartSeq() )
+				endpoint->Conn()->Weird("SYN_seq_jump");
+
+			// Make a guess that somehow the connection didn't get established,
+			// and this SYN will be the one that actually sets it up.
+			endpoint->InitStartSeq(first_seg_seq);
+			endpoint->InitAckSeq(first_seg_seq);
+			endpoint->InitLastSeq(last_seq);
+			}
+		break;
+
+	case TCP_ENDPOINT_RESET:
+		if ( flags.SYN() )
+			{
+			if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE )
+				{
+				// Seq. numbers were initialized by a RST packet from this
+				// endpoint, but now that a SYN is seen from it, that could mean
+				// the earlier RST was spoofed/injected, so re-initialize.  This
+				// mostly just helps prevent misrepresentations of payload sizes
+				// that are based on bad initial sequence values.
+				endpoint->InitStartSeq(first_seg_seq);
+				endpoint->InitAckSeq(first_seg_seq);
+				endpoint->InitLastSeq(last_seq);
+				}
+			}
+		break;
+
+	default:
+		break;
+	}
+	}
+
+static void init_peer(TCP_Endpoint* peer, TCP_Endpoint* endpoint,
+                      TCP_Flags flags, uint32 ack_seq)
+	{
+	if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() )
+		{
+		if ( endpoint->state == TCP_ENDPOINT_SYN_SENT ||
+			 endpoint->state == TCP_ENDPOINT_SYN_ACK_SENT ||
+			 endpoint->state == TCP_ENDPOINT_ESTABLISHED )
+			{
+			// We've already sent a SYN, but that
+			// hasn't roused the other end, yet we're
+			// ack'ing their data.
+
+			if ( ! endpoint->Conn()->DidWeird() )
+				endpoint->Conn()->Weird("possible_split_routing");
+			}
+		}
+
+	// Start the sequence numbering as if there was an initial
+	// SYN, so the relative numbering of subsequent data packets
+	// stays consistent.
+	peer->InitStartSeq(ack_seq - 1);
+	peer->InitAckSeq(ack_seq - 1);
+	peer->InitLastSeq(ack_seq - 1);
+	}
+
+static void update_ack_seq(TCP_Endpoint* endpoint, uint32 ack_seq)
+	{
+	int32 delta_ack = seq_delta(ack_seq, endpoint->AckSeq());
+
+	if ( ack_seq == 0 && delta_ack > TOO_LARGE_SEQ_DELTA )
+		// More likely that this is a broken ack than a
+		// large connection that happens to land on 0 in the
+		// sequence space.
+		;
+	else if ( delta_ack > 0 )
+		endpoint->UpdateAckSeq(ack_seq);
+	}
+
+// Returns the difference between last_seq and the last sequence
+// seen by the endpoint (may be negative).
+static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
+                             TCP_Flags flags)
+	{
+	int32 delta_last = seq_delta(last_seq, endpoint->LastSeq());
+
+	if ( (flags.SYN() || flags.RST()) &&
+	     (delta_last > TOO_LARGE_SEQ_DELTA ||
+	      delta_last < -TOO_LARGE_SEQ_DELTA) )
+		// ### perhaps trust RST seq #'s if initial and not too
+		// outlandish, but not if they're coming after the other
+		// side has sent a FIN - trust the FIN ack instead
+		;
+
+	else if ( flags.FIN() &&
+		  endpoint->LastSeq() == endpoint->StartSeq() + 1 )
+		// Update last_seq based on the FIN even if delta_last < 0.
+		// This is to accommodate > 2 GB connections for which
+		// we've only seen the SYN and the FIN (hence the check
+		// for last_seq == start_seq + 1).
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( endpoint->state == TCP_ENDPOINT_RESET )
+		// don't trust any subsequent sequence numbers
+		;
+
+	else if ( delta_last > 0 )
+		// ### check for large jumps here.
+		// ## endpoint->last_seq = last_seq;
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( delta_last <= 0 )
+		{ // ### ++retransmit, unless this is a pure ack
+		}
+
+	return delta_last;
+	}
+
+void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen)
+	{
+	TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	const struct tcphdr* tp = ExtractTCP_Header(data, len, caplen);
+	if ( ! tp )
+		return;
+
+	// We need the min() here because Ethernet frame padding can lead to
+	// caplen > len.
+	if ( packet_contents )
+		PacketContents(data, min(len, caplen));
+
+	TCP_Endpoint* endpoint = is_orig ? orig : resp;
+	TCP_Endpoint* peer = endpoint->peer;
+
+	if ( ! ValidateChecksum(tp, endpoint, len, caplen) )
+		return;
+
+	uint32 tcp_hdr_len = data - (const u_char*) tp;
+	TCP_Flags flags(tp);
+	SetPartialStatus(flags, endpoint->IsOrig());
+
+	uint32 base_seq = ntohl(tp->th_seq);
+	uint32 ack_seq = ntohl(tp->th_ack);
+
+	int seg_len = get_segment_len(len, flags);
+	uint32 seq_one_past_segment = base_seq + seg_len;
+
+	init_endpoint(endpoint, flags, base_seq, seq_one_past_segment,
+	              current_timestamp);
+
+	bool seq_underflow = false;
+	uint64 rel_seq = get_relative_seq(endpoint, base_seq, endpoint->LastSeq(),
+	                                  endpoint->SeqWraps(), &seq_underflow);
+
+	if ( seq_underflow && ! flags.RST() )
+		// Can't tell if if this is a retransmit/out-of-order or something
+		// before the sequence Bro initialized the endpoint at or the TCP is
+		// just broken and sending garbage sequences.  In either case, some
+		// standard analysis doesn't apply (e.g. reassembly).
+		Weird("TCP_seq_underflow_or_misorder");
+
+	update_history(flags, endpoint, rel_seq, len);
+	update_window(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags);
+
+	if ( ! orig->did_close || ! resp->did_close )
+		Conn()->SetLastTime(current_timestamp);
+
+	if ( flags.SYN() )
+		{
+		syn_weirds(flags, endpoint, len);
+		RecordVal* SYN_vals = build_syn_packet_val(is_orig, ip, tp);
+		init_window(endpoint, peer, flags, SYN_vals->Lookup(5)->CoerceToInt(),
+		            base_seq, ack_seq);
+
+		if ( connection_SYN_packet )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(SYN_vals->Ref());
+			ConnectionEvent(connection_SYN_packet, vl);
+			}
+
+		passive_fingerprint(this, is_orig, ip, tp, tcp_hdr_len);
+
+		Unref(SYN_vals);
+		}
+
+	if ( flags.FIN() )
+		{
+		++endpoint->FIN_cnt;
+
+		if ( endpoint->FIN_cnt >= tcp_storm_thresh && current_timestamp <
+		     endpoint->last_time + tcp_storm_interarrival_thresh )
+			Weird("FIN_storm");
+
+		endpoint->FIN_seq = rel_seq + seg_len;
+		}
+
+	if ( flags.RST() )
+		{
+		++endpoint->RST_cnt;
+
+		if ( endpoint->RST_cnt >= tcp_storm_thresh && current_timestamp <
+		     endpoint->last_time + tcp_storm_interarrival_thresh )
+			Weird("RST_storm");
+
+		// This now happens often enough that it's
+		// not in the least interesting.
+		//if ( len > 0 )
+		//	Weird("RST_with_data");
+
+		PacketWithRST();
+		}
+
+	uint64 rel_ack = 0;
+
+	if ( flags.ACK() )
+		{
+		if ( is_orig && ! seen_first_ACK &&
+		     (endpoint->state == TCP_ENDPOINT_ESTABLISHED ||
+		      endpoint->state == TCP_ENDPOINT_SYN_SENT) )
+			{
+			seen_first_ACK = 1;
+			Event(connection_first_ACK);
+			}
+
+		if ( peer->state == TCP_ENDPOINT_INACTIVE )
+			{
+			rel_ack = 1;
+			init_peer(peer, endpoint, flags, ack_seq);
+			}
+		else
+			{
+			bool ack_underflow = false;
+			rel_ack = get_relative_seq(peer, ack_seq, peer->AckSeq(),
+			                           peer->AckWraps(), &ack_underflow);
+
+			if ( ack_underflow )
+				{
+				rel_ack = 0;
+				Weird("TCP_ack_underflow_or_misorder");
+				}
+			else if ( ! flags.RST() )
+				// Don't trust ack's in RSt packets.
+				update_ack_seq(peer, ack_seq);
+			}
+
+		peer->AckReceived(rel_ack);
+		}
+
+	int32 delta_last = update_last_seq(endpoint, seq_one_past_segment, flags);
+	endpoint->last_time = current_timestamp;
+
+	int do_close;
+	int gen_event;
+	UpdateStateMachine(current_timestamp, endpoint, peer, base_seq, ack_seq,
+	                   len, delta_last, is_orig, flags, do_close, gen_event);
+
+	if ( tcp_packet )
+		GeneratePacketEvent(rel_seq, rel_ack, data, len, caplen, is_orig,
+		                    flags);
+
+	if ( tcp_option && tcp_hdr_len > sizeof(*tp) &&
+	     tcp_hdr_len <= uint32(caplen) )
+		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
+
+	if ( DEBUG_tcp_data_sent )
+		{
+		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
+			  network_time, len, caplen, Skipping());
+		}
+
+	uint64 rel_data_seq = flags.SYN() ? rel_seq + 1 : rel_seq;
+
+	int need_contents = 0;
+	if ( len > 0 && (caplen >= len || packet_children.size()) &&
+	     ! flags.RST() && ! Skipping() && ! seq_underflow )
+		need_contents = DeliverData(current_timestamp, data, len, caplen, ip,
+		                            tp, endpoint, rel_data_seq, is_orig, flags);
+
+	endpoint->CheckEOF();
+
+	if ( do_close )
+		{
+		// We need to postpone doing this until after we process
+		// DataSent, so we don't generate a connection_finished event
+		// until after data perhaps included with the FIN is processed.
+		ConnectionClosed(endpoint, peer, gen_event);
+		}
+
+	CheckRecording(need_contents, flags);
+
+	// Handle child_packet analyzers.  Note: This happens *after* the
+	// packet has been processed and the TCP state updated.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->NextPacket(len, data, is_orig, rel_data_seq, ip, caplen);
+
+	if ( ! reassembling )
+		ForwardPacket(len, data, is_orig, rel_data_seq, ip, caplen);
+
+	CheckPIA_FirstPacket(is_orig, ip);
+	}
+
+void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	Analyzer::DeliverStream(len, data, orig);
+	}
+
+void TCP_Analyzer::Undelivered(uint64 seq, int len, bool is_orig)
+	{
+	Analyzer::Undelivered(seq, len, orig);
+	}
+
+void TCP_Analyzer::FlipRoles()
+	{
+	Analyzer::FlipRoles();
+
+	sessions->tcp_stats.FlipState(orig->state, resp->state);
+	TCP_Endpoint* tmp_ep = resp;
+	resp = orig;
+	orig = tmp_ep;
+	orig->is_orig = !orig->is_orig;
+	resp->is_orig = !resp->is_orig;
+	}
+
+void TCP_Analyzer::UpdateConnVal(RecordVal *conn_val)
+	{
+	RecordVal *orig_endp_val = conn_val->Lookup("orig")->AsRecordVal();
+	RecordVal *resp_endp_val = conn_val->Lookup("resp")->AsRecordVal();
+
+	orig_endp_val->Assign(0, new Val(orig->Size(), TYPE_COUNT));
+	orig_endp_val->Assign(1, new Val(int(orig->state), TYPE_COUNT));
+	resp_endp_val->Assign(0, new Val(resp->Size(), TYPE_COUNT));
+	resp_endp_val->Assign(1, new Val(int(resp->state), TYPE_COUNT));
+
+	// Call children's UpdateConnVal
+	Analyzer::UpdateConnVal(conn_val);
+
+	// Have to do packet_children ourselves.
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->UpdateConnVal(conn_val);
+	}
+
 int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp,
 					proc_tcp_option_t proc,
 					TCP_Analyzer* analyzer,
@@ -1849,11 +1897,11 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason,
 	}
 
 void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data,
-						bool is_orig, int seq,
+						bool is_orig, uint64 seq,
 						const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-	DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+	DBG_LOG(DBG_ANALYZER, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %"PRIu64", %p, %d) [%s%s]",
 			len, is_orig ? "T" : "F", seq, ip, caplen,
 			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
 	}
@@ -1930,7 +1978,7 @@ int endian_flip(int n)
 	return ((n & 0xff) << 8) | ((n & 0xff00) >> 8);
 	}
 
-int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
+int TCPStats_Endpoint::DataSent(double /* t */, uint64 seq, int len, int caplen,
 			const u_char* /* data */,
 			const IP_Hdr* ip, const struct tcphdr* /* tp */)
 	{
@@ -1990,14 +2038,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 
 	++num_in_order;
 
-	int top_seq = seq + len;
+	uint64 top_seq = seq + len;
 
-	int data_in_flight = endp->LastSeq() - endp->AckSeq();
+	int32 data_in_flight = seq_delta(endp->LastSeq(), endp->AckSeq());
 	if ( data_in_flight < 0 )
 		data_in_flight = 0;
 
-	int seq_delta = top_seq - max_top_seq;
-	if ( seq_delta <= 0 )
+	int64 sequence_delta = top_seq - max_top_seq;
+	if ( sequence_delta <= 0 )
 		{
 		if ( ! BifConst::ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
 			{
@@ -2005,7 +2053,7 @@ int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
 			num_rxmit_bytes += len;
 			}
 
-		DEBUG_MSG("%.6f rexmit %d + %d <= %d data_in_flight = %d\n",
+		DEBUG_MSG("%.6f rexmit %"PRIu64" + %d <= %"PRIu64" data_in_flight = %d\n",
 		 	network_time, seq, len, max_top_seq, data_in_flight);
 
 		if ( tcp_rexmit )
@@ -2073,7 +2121,7 @@ void TCPStats_Analyzer::Done()
 	ConnectionEvent(conn_stats, vl);
 	}
 
-void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index b2649b4ab8..b00e73d348 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -102,9 +102,9 @@ protected:
 	// Analyzer interface.
 	virtual void Init();
 	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
 	virtual void FlipRoles();
 	virtual bool IsReuse(double t, const u_char* pkt);
 
@@ -119,42 +119,7 @@ protected:
 	bool ValidateChecksum(const struct tcphdr* tp, TCP_Endpoint* endpoint,
 				int len, int caplen);
 
-	// Update analysis based on flag combinations.  The endpoint, base_seq
-	// and len are needed for tracking various history information.
-	// dst_port is needed for trimming of FIN packets.
-	void CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
-				uint32 base_seq, int len, int dst_port);
-
-	void UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
-					uint32 base_seq, uint32 ack_seq,
-					TCP_Flags flags);
-
-	void ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
-			uint32 tcp_hdr_len, int& seq_len,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			const IPAddr& orig_addr,
-			int is_orig, TCP_Flags flags);
-
-	void ProcessFIN(double t, TCP_Endpoint* endpoint, int& seq_len,
-			uint32 base_seq);
-
-	void ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip,
-			uint32 base_seq, int len, int& seq_len);
-
-	void ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 ack_seq, int is_orig, TCP_Flags flags);
-
-	void ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp,
-			uint32 tcp_hdr_len, int len, int& seq_len,
-			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq,
-			const IPAddr& orig_addr,
-			int is_orig, TCP_Flags flags);
-
-	void TransitionFromInactive(double t, TCP_Endpoint* endpoint,
-					uint32 base_seq, uint32 last_seq,
-					int SYN);
+	void SetPartialStatus(TCP_Flags flags, bool is_orig);
 
 	// Update the state machine of the TCPs based on the activity.  This
 	// includes our pseudo-states such as TCP_ENDPOINT_PARTIAL.
@@ -164,8 +129,8 @@ protected:
 	// this fact.
 	void UpdateStateMachine(double t,
 			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
-			int len, int delta_last, int is_orig, TCP_Flags flags,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int32 delta_last, int is_orig, TCP_Flags flags,
 			int& do_close, int& gen_event);
 
 	void UpdateInactiveState(double t,
@@ -174,43 +139,34 @@ protected:
 				int len, int is_orig, TCP_Flags flags,
 				int& do_close, int& gen_event);
 
-	void UpdateSYN_SentState(double t,
+	void UpdateSYN_SentState(
 				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 last_seq,
 				int len, int is_orig, TCP_Flags flags,
 				int& do_close, int& gen_event);
 
-	void UpdateEstablishedState(double t,
+	void UpdateEstablishedState(
 				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-				uint32 base_seq, uint32 last_seq,
-				int is_orig, TCP_Flags flags,
-				int& do_close, int& gen_event);
+				TCP_Flags flags, int& do_close, int& gen_event);
 
 	void UpdateClosedState(double t, TCP_Endpoint* endpoint,
-				int delta_last, TCP_Flags flags,
+				int32 delta_last, TCP_Flags flags,
 				int& do_close);
 
-	void UpdateResetState(int len, TCP_Flags flags, TCP_Endpoint* endpoint,
-				uint32 base_seq, uint32 last_seq);
+	void UpdateResetState(int len, TCP_Flags flags);
 
-	void GeneratePacketEvent(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
-					uint32 base_seq, uint32 ack_seq,
+	void GeneratePacketEvent(
+					uint64 rel_seq, uint64 rel_ack,
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags);
 
 	int DeliverData(double t, const u_char* data, int len, int caplen,
 			const IP_Hdr* ip, const struct tcphdr* tp,
-			TCP_Endpoint* endpoint, uint32 base_seq,
+			TCP_Endpoint* endpoint, uint64 rel_data_seq,
 			int is_orig, TCP_Flags flags);
 
 	void CheckRecording(int need_contents, TCP_Flags flags);
 	void CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip);
 
-	// Returns the difference between last_seq and the last sequence
-	// seen by the endpoint (may be negative).
-	int UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
-				TCP_Flags flags);
-
 	friend class ConnectionTimer;
 	void AttemptTimer(double t);
 	void PartialCloseTimer(double t);
@@ -228,12 +184,6 @@ protected:
 
 	void SetReassembler(tcp::TCP_Reassembler* rorig, tcp::TCP_Reassembler* rresp);
 
-	Val* BuildSYNPacketVal(int is_orig,
-				const IP_Hdr* ip, const struct tcphdr* tcp);
-
-	RecordVal* BuildOSVal(int is_orig, const IP_Hdr* ip,
-				const struct tcphdr* tcp, uint32 tcp_hdr_len);
-
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
 	static int TCPOptionEvent(unsigned int opt, unsigned int optlen,
@@ -304,7 +254,7 @@ public:
 	virtual void PacketWithRST();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual void Init();
 
 	// This suppresses violations if the TCP connection wasn't
@@ -341,7 +291,7 @@ class TCPStats_Endpoint {
 public:
 	TCPStats_Endpoint(TCP_Endpoint* endp);
 
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
 
 	RecordVal* BuildStats();
@@ -354,7 +304,7 @@ protected:
 	int num_in_order;
 	int num_OO;
 	int num_repl;
-	int max_top_seq;
+	uint64 max_top_seq;
 	int last_id;
 	int endian_type;
 };
@@ -372,7 +322,7 @@ public:
 
 protected:
 	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	TCPStats_Endpoint* orig_stats;
 	TCPStats_Endpoint* resp_stats;
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index ad642a46e3..2e8d6e593b 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -20,7 +20,7 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
 	peer = 0;
 	start_time = last_time = 0.0;
 	start_seq = last_seq = ack_seq = 0;
-	last_seq_high = ack_seq_high = 0;
+	seq_wraps = ack_wraps = 0;
 	window = 0;
 	window_scale = 0;
 	window_seq = window_ack_seq = 0;
@@ -108,7 +108,8 @@ void TCP_Endpoint::CheckEOF()
 		contents_processor->CheckEOF();
 	}
 
-void TCP_Endpoint::SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack)
+void TCP_Endpoint::SizeBufferedData(uint64& waiting_on_hole,
+                                    uint64& waiting_on_ack)
 	{
 	if ( contents_processor )
 		contents_processor->SizeBufferedData(waiting_on_hole, waiting_on_ack);
@@ -159,7 +160,7 @@ void TCP_Endpoint::SetState(EndpointState new_state)
 		}
 	}
 
-bro_int_t TCP_Endpoint::Size() const
+uint64 TCP_Endpoint::Size() const
 	{
 	if ( prev_state == TCP_ENDPOINT_SYN_SENT && state == TCP_ENDPOINT_RESET &&
 	     peer->state == TCP_ENDPOINT_INACTIVE && ! NoDataAcked() )
@@ -168,14 +169,18 @@ bro_int_t TCP_Endpoint::Size() const
 		// and there was never a chance for this endpoint to send data anyway.
 		return 0;
 
-	bro_int_t size;
+	uint64 size;
+	uint64 last_seq_64 = ToFullSeqSpace(LastSeq(), SeqWraps());
+	uint64 ack_seq_64 = ToFullSeqSpace(AckSeq(), AckWraps());
 
-	uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;
-	uint64 ack_seq_64 = (uint64(ack_seq_high) << 32) | ack_seq;
+	// Going straight to relative sequence numbers and comparing those might
+	// make more sense, but there's some cases (e.g. due to RSTs) where
+	// last_seq might not be initialized to a trustworthy value such that
+	// rel_seq > rel_ack, but last_seq_64 < start_seq, which is obviously wrong.
 	if ( last_seq_64 > ack_seq_64 )
-		size = last_seq_64 - start_seq;
+		size = last_seq_64 - StartSeqI64();
 	else
-		size = ack_seq_64 - start_seq;
+		size = ack_seq_64 - StartSeqI64();
 
 	// Don't include SYN octet in sequence space.  For partial connections
 	// (no SYN seen), we're still careful to adjust start_seq as though
@@ -190,7 +195,7 @@ bro_int_t TCP_Endpoint::Size() const
 	return size;
 	}
 
-int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
+int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
 				const u_char* data,
 				const IP_Hdr* ip, const struct tcphdr* tp)
 	{
@@ -205,7 +210,7 @@ int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
 	if ( contents_file && ! contents_processor && 
 	     seq + len > contents_start_seq )
 		{
-		int under_seq = contents_start_seq - seq;
+		int64 under_seq = contents_start_seq - seq;
 		if ( under_seq > 0 )
 			{
 			seq += under_seq;
@@ -236,7 +241,7 @@ int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
 	return status;
 	}
 
-void TCP_Endpoint::AckReceived(int seq)
+void TCP_Endpoint::AckReceived(uint64 seq)
 	{
 	if ( contents_processor )
 		contents_processor->AckReceived(seq);
@@ -246,7 +251,7 @@ void TCP_Endpoint::SetContentsFile(BroFile* f)
 	{
 	Ref(f);
 	contents_file = f;
-	contents_start_seq = last_seq - start_seq;
+	contents_start_seq = ToRelativeSeqSpace(last_seq, seq_wraps);
 
 	if ( contents_start_seq == 0 )
 		contents_start_seq = 1;	// skip SYN
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 31e239225b..471b9b9535 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -38,32 +38,92 @@ public:
 
 	EndpointState State() const 	{ return state; }
 	void SetState(EndpointState new_state);
-	bro_int_t Size() const;
+	uint64 Size() const;
 	int IsActive() const
 		{ return state != TCP_ENDPOINT_INACTIVE && ! did_close; }
 
 	double StartTime() const	{ return start_time; }
 	double LastTime() const		{ return last_time; }
 
-	uint32 StartSeq() const		{ return start_seq; }
+	/**
+	 * @return The starting TCP sequence number for this endpoint.
+	 */
+	uint32 StartSeq() const		{ return static_cast<uint32>(start_seq); }
+
+	/**
+	 * @return The starting TCP sequence number for this endpoint, in terms
+	 *         of a signed sequence space, which may account for initial
+	 *         sequence space wraparounds (underflow/overflow).
+	 */
+	int64 StartSeqI64() const { return start_seq; }
+
+	/**
+	 * @return The sequence number after the last TCP sequence number seen
+	 *         from this endpoint.
+	 */
 	uint32 LastSeq() const		{ return last_seq; }
+
+	/**
+	 * @return The last TCP acknowledgement number seen from this endpoint.
+	 */
 	uint32 AckSeq() const		{ return ack_seq; }
 
-	void InitStartSeq(uint32 seq) 	{ start_seq = seq; }
+	/**
+	 * @return The number of times the TCP sequence has wrapped around
+	 *         for this endpoint (i.e. overflowed a uint32).
+	 */
+	uint32 SeqWraps() const		{ return seq_wraps; }
+
+	/**
+	 * @return The number of times the TCP acknowledgement sequence has
+	 *         wrapped around for this endpoint (i.e. overflowed a uint32).
+	 */
+	uint32 AckWraps() const		{ return ack_wraps; }
+
+	/**
+	 * @param wraps Number of times a 32-bit sequence space has wrapped.
+	 * @return A 64-bit sequence space number it would take to overflow
+	 *         a 32-bit sequence space \a wraps number of times.
+	 */
+	static uint64 ToFullSeqSpace(uint32 wraps)
+		{ return (uint64(wraps) << 32); }
+
+	/**
+	 * @param tcp_seq_num A 32-bit TCP sequence space number.
+	 * @param wraparounds Number of times a 32-bit sequence space has wrapped.
+	 * @return \a tcp_seq_num expanded out in to a 64-bit sequence space,
+	 *         accounting for the number of times the 32-bit space overflowed.
+	 */
+	static uint64 ToFullSeqSpace(uint32 tcp_seq_num, uint32 wraparounds)
+		{ return ToFullSeqSpace(wraparounds) + tcp_seq_num; }
+
+	/**
+	 * @param tcp_seq_num A 32-bit TCP sequence space number.
+	 * @param wraparounds Number of times a 32-bit sequence space has wrapped.
+	 * @return \a tcp_seq_num expanded out in to a 64-bit sequence space,
+	 *         accounting for the number of times the 32-bit space overflowed
+	 *         and relative the the starting sequence number for this endpoint.
+	 */
+	uint64 ToRelativeSeqSpace(uint32 tcp_seq_num, uint32 wraparounds) const
+		{
+		return ToFullSeqSpace(tcp_seq_num, wraparounds) - StartSeqI64();
+		}
+
+	void InitStartSeq(int64 seq) 	{ start_seq = seq; }
 	void InitLastSeq(uint32 seq) 	{ last_seq = seq; }
 	void InitAckSeq(uint32 seq) 	{ ack_seq = seq; }
 
 	void UpdateLastSeq(uint32 seq)
 		{
 		if ( seq < last_seq )
-			++last_seq_high;
+			++seq_wraps;
 		last_seq = seq;
 		}
 
 	void UpdateAckSeq(uint32 seq)
 		{
 		if ( seq < ack_seq )
-			++ack_seq_high;
+			++ack_wraps;
 		ack_seq = seq;
 		}
 
@@ -71,7 +131,10 @@ public:
 	// We allow for possibly one octet being ack'd in the case of
 	// an initial SYN exchange.
 	int NoDataAcked() const
-		{ return ack_seq == start_seq || ack_seq == start_seq + 1; }
+		{
+		uint64 ack = ToFullSeqSpace(ack_seq, ack_wraps);
+		return ack == StartSeqI64() || ack == StartSeqI64() + 1;
+		}
 
 	Connection* Conn() const;
 
@@ -96,16 +159,16 @@ public:
 	//
 	// If we're not processing contents, then naturally each of
 	// these is empty.
-	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack);
+	void SizeBufferedData(uint64& waiting_on_hole, uint64& waiting_on_ack);
 
 	int ValidChecksum(const struct tcphdr* tp, int len) const;
 
 	// Returns true if the data was used (and hence should be recorded
 	// in the save file), false otherwise.
-	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
 
-	void AckReceived(int seq);
+	void AckReceived(uint64 seq);
 
 	void SetContentsFile(BroFile* f);
 	BroFile* GetContentsFile() const	{ return contents_file; }
@@ -139,20 +202,25 @@ public:
 	int window_scale;  // from the TCP option
 	uint32 window_ack_seq; // at which ack_seq number did we record 'window'
 	uint32 window_seq; // at which sending sequence number did we record 'window'
-	int contents_start_seq;	// relative seq # where contents file starts
-	int FIN_seq;		// relative seq # to start_seq
+	uint64 contents_start_seq;	// relative seq # where contents file starts
+	uint64 FIN_seq;		// relative seq # to start_seq
 	int SYN_cnt, FIN_cnt, RST_cnt;
 	int did_close;		// whether we've reported it closing
 	int is_orig;
 
-	// Sequence numbers associated with last control packets.
+	// Relative sequence numbers associated with last control packets.
 	// Used to determine whether ones seen again are interesting,
 	// for tracking history.
-	uint32 hist_last_SYN, hist_last_FIN, hist_last_RST;
+	uint64 hist_last_SYN, hist_last_FIN, hist_last_RST;
 
 protected:
-	uint32 start_seq, last_seq, ack_seq;	// in host order
-	uint32 last_seq_high, ack_seq_high;
+	int64 start_seq;  // Initial TCP sequence number in host order.
+	                  // Signed 64-bit to detect initial sequence wrapping.
+	                  // Use StartSeq() accessor if need it in terms of
+	                  // an absolute TCP sequence number.
+	uint32 last_seq, ack_seq;	 // in host order
+	uint32 seq_wraps, ack_wraps; // Number of times 32-bit TCP sequence space
+	                             // has wrapped around (overflowed).
 };
 
 #define ENDIAN_UNKNOWN 0
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index da8dd857fd..1fabfc5d73 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -14,11 +14,6 @@ using namespace analyzer::tcp;
 
 // Note, sequence numbers are relative. I.e., they start with 1.
 
-// TODO: The Reassembler should start using 64 bit ints for keeping track of
-// sequence numbers; currently they become negative once 2GB are exceeded.
-//
-// See #348 for more information.
-
 const bool DEBUG_tcp_contents = false;
 const bool DEBUG_tcp_connection_close = false;
 const bool DEBUG_tcp_match_undelivered = false;
@@ -44,9 +39,7 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 	deliver_tcp_contents = 0;
 	skip_deliveries = 0;
 	did_EOF = 0;
-#ifdef ENABLE_SEQ_TO_SKIP
 	seq_to_skip = 0;
-#endif
 	in_delivery = false;
 
 	if ( tcp_contents )
@@ -73,12 +66,11 @@ TCP_Reassembler::~TCP_Reassembler()
 
 void TCP_Reassembler::Done()
 	{
-	MatchUndelivered(-1);
+	MatchUndelivered(-1, true);
 
 	if ( record_contents_file )
 		{ // Record any undelivered data.
-		if ( blocks &&
-		     seq_delta(last_reassem_seq, last_block->upper) < 0 )
+		if ( blocks && last_reassem_seq < last_block->upper )
 			RecordToSeq(last_reassem_seq, last_block->upper,
 					record_contents_file);
 
@@ -86,13 +78,13 @@ void TCP_Reassembler::Done()
 		}
 	}
 
-void TCP_Reassembler::SizeBufferedData(int& waiting_on_hole,
-					int& waiting_on_ack) const
+void TCP_Reassembler::SizeBufferedData(uint64& waiting_on_hole,
+					uint64& waiting_on_ack) const
 	{
 	waiting_on_hole = waiting_on_ack = 0;
 	for ( DataBlock* b = blocks; b; b = b->next )
 		{
-		if ( seq_delta(b->seq, last_reassem_seq) <= 0 )
+		if ( b->seq <= last_reassem_seq )
 			// We must have delivered this block, but
 			// haven't yet trimmed it.
 			waiting_on_ack += b->Size();
@@ -126,7 +118,7 @@ void TCP_Reassembler::SetContentsFile(BroFile* f)
 	}
 
 
-void TCP_Reassembler::Undelivered(int up_to_seq)
+void TCP_Reassembler::Undelivered(uint64 up_to_seq)
 	{
 	TCP_Endpoint* endpoint = endp;
 	TCP_Endpoint* peer = endpoint->peer;
@@ -142,13 +134,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		// was a keep-alive.  So, in either case, just ignore it.
 
 		// TODO: Don't we need to update last_reassm_seq ????
-		if ( up_to_seq >=0 )
-			// Since seq are currently only 32 bit signed
-			// integers, they will become negative if a
-			// connection has more than 2GB of data. Remove the
-			// above if and always return here, once we're using
-			// 64 bit ints
-			return;
+		return;
 	}
 
 #if 0
@@ -156,15 +142,14 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		// Make sure we're not worrying about undelivered
 		// FIN control octets!
-		int FIN_seq = endpoint->FIN_seq - endpoint->start_seq;
-		if ( seq_delta(up_to_seq, FIN_seq) >= 0 )
-			up_to_seq = FIN_seq - 1;
+		if ( up_to_seq >= endpoint->FIN_seq )
+			up_to_seq = endpoint->FIN_seq - 1;
 		}
 #endif
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%d, last_reassm=%d, "
+		DEBUG_MSG("%.6f Undelivered: IsOrig()=%d up_to_seq=%"PRIu64", last_reassm=%"PRIu64", "
 		          "endp: FIN_cnt=%d, RST_cnt=%d, "
 		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
 		          network_time, IsOrig(), up_to_seq, last_reassem_seq,
@@ -172,7 +157,7 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		          peer->FIN_cnt, peer->RST_cnt);
 		}
 
-	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
+	if ( up_to_seq <= last_reassem_seq )
 		// This should never happen. (Reassembler::TrimToSeq has the only call
 		// to this method and only if this condition is not true).
 		reporter->InternalError("Calling Undelivered for data that has already been delivered (or has already been marked as undelivered");
@@ -195,10 +180,10 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		{
 		if ( DEBUG_tcp_contents )
 			{
-			DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%d, len=%d, "
+			DEBUG_MSG("%.6f Undelivered: IsOrig()=%d, seq=%"PRIu64", len=%"PRIu64", "
 					  "skip_deliveries=%d\n",
 					  network_time, IsOrig(), last_reassem_seq,
-					  seq_delta(up_to_seq, last_reassem_seq),
+					  up_to_seq - last_reassem_seq,
 					  skip_deliveries);
 			}
 
@@ -210,8 +195,8 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 			// packet, but it's undelievered because it's out of
 			// sequence.
 
-			int seq = last_reassem_seq;
-			int len = seq_delta(up_to_seq, last_reassem_seq);
+			uint64 seq = last_reassem_seq;
+			uint64 len = up_to_seq - last_reassem_seq;
 
 			// Only report on content gaps for connections that
 			// are in a cleanly established state.  In other
@@ -255,19 +240,19 @@ void TCP_Reassembler::Undelivered(int up_to_seq)
 		RecordToSeq(last_reassem_seq, up_to_seq, record_contents_file);
 
 	if ( tcp_match_undelivered )
-		MatchUndelivered(up_to_seq);
+		MatchUndelivered(up_to_seq, false);
 
 	// But we need to re-adjust last_reassem_seq in either case.
 	last_reassem_seq = up_to_seq;	// we've done our best ...
 	}
 
-void TCP_Reassembler::MatchUndelivered(int up_to_seq)
+void TCP_Reassembler::MatchUndelivered(uint64 up_to_seq, bool use_last_upper)
 	{
 	if ( ! blocks || ! rule_matcher )
 		return;
 
 	ASSERT(last_block);
-	if ( up_to_seq == -1 )
+	if ( use_last_upper )
 		up_to_seq = last_block->upper;
 
 	// ### Note: the original code did not check whether blocks have
@@ -277,36 +262,35 @@ void TCP_Reassembler::MatchUndelivered(int up_to_seq)
 	// We are to match any undelivered data, from last_reassem_seq to
 	// min(last_block->upper, up_to_seq).
 	// Is there such data?
-	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 ||
-	     seq_delta(last_block->upper, last_reassem_seq) <= 0 )
+	if ( up_to_seq <= last_reassem_seq ||
+	     last_block->upper <= last_reassem_seq )
 		return;
 
 	// Skip blocks that are already delivered (but not ACK'ed).
 	// Question: shall we instead keep a pointer to the first undelivered
 	// block?
 	DataBlock* b;
-	for ( b = blocks; b && seq_delta(b->upper, last_reassem_seq) <= 0;
-	      b = b->next )
+	for ( b = blocks; b && b->upper <= last_reassem_seq; b = b->next )
 	      tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b->block, b->Size(),
 						false, false, IsOrig(), false);
 
 	ASSERT(b);
 	}
 
-void TCP_Reassembler::RecordToSeq(int start_seq, int stop_seq, BroFile* f)
+void TCP_Reassembler::RecordToSeq(uint64 start_seq, uint64 stop_seq, BroFile* f)
 	{
 	DataBlock* b = blocks;
 	// Skip over blocks up to the start seq.
-	while ( b && seq_delta(b->upper, start_seq) <= 0 )
+	while ( b && b->upper <= start_seq )
 		b = b->next;
 
 	if ( ! b )
 		return;
 
-	int last_seq = start_seq;
-	while ( b && seq_delta(b->upper, stop_seq) <= 0 )
+	uint64 last_seq = start_seq;
+	while ( b && b->upper <= stop_seq )
 		{
-		if ( seq_delta(b->seq, last_seq) > 0 )
+		if ( b->seq > last_seq )
 			RecordGap(last_seq, b->seq, f);
 
 		RecordBlock(b, f);
@@ -316,7 +300,7 @@ void TCP_Reassembler::RecordToSeq(int start_seq, int stop_seq, BroFile* f)
 
 	if ( b )
 		// Check for final gap.
-		if ( seq_delta(last_seq, stop_seq) < 0 )
+		if ( last_seq < stop_seq )
 			RecordGap(last_seq, stop_seq, f);
 	}
 
@@ -337,9 +321,9 @@ void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
 		}
 	}
 
-void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
+void TCP_Reassembler::RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f)
 	{
-	if ( f->Write(fmt("\n<<gap %d>>\n", seq_delta(upper_seq, start_seq))) )
+	if ( f->Write(fmt("\n<<gap %"PRIu64">>\n", upper_seq - start_seq)) )
 		return;
 
 	reporter->Error("TCP_Reassembler contents gap write failed");
@@ -356,8 +340,8 @@ void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
 
 void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	{
-	if ( seq_delta(start_block->seq, last_reassem_seq) > 0 ||
-	     seq_delta(start_block->upper, last_reassem_seq) <= 0 )
+	if ( start_block->seq > last_reassem_seq ||
+	     start_block->upper <= last_reassem_seq )
 		return;
 
 	// We've filled a leading hole.  Deliver as much as possible.
@@ -367,12 +351,12 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	// loop we have to take care not to deliver already-delivered
 	// data.
 	for ( DataBlock* b = start_block;
-	      b && seq_delta(b->seq, last_reassem_seq) <= 0; b = b->next )
+	      b && b->seq <= last_reassem_seq; b = b->next )
 		{
 		if ( b->seq == last_reassem_seq )
 			{ // New stuff.
-			int len = b->Size();
-			int seq = last_reassem_seq;
+			uint64 len = b->Size();
+			uint64 seq = last_reassem_seq;
 
 			last_reassem_seq += len;
 
@@ -406,10 +390,10 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 	// TCP_Connection::NextPacket.
 	}
 
-void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64 n)
 	{
 	if ( DEBUG_tcp_contents )
-		DEBUG_MSG("%.6f TCP contents overlap: %d IsOrig()=%d\n", network_time,  n, IsOrig());
+		DEBUG_MSG("%.6f TCP contents overlap: %"PRIu64" IsOrig()=%d\n", network_time,  n, IsOrig());
 
 	if ( rexmit_inconsistency &&
 	     memcmp((const void*) b1, (const void*) b2, n) &&
@@ -438,7 +422,7 @@ bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
 	return false; // Cannot be reached.
 	}
 
-void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
+void TCP_Reassembler::Deliver(uint64 seq, int len, const u_char* data)
 	{
 	if ( type == Direct )
 		dst_analyzer->NextStream(len, data, IsOrig());
@@ -446,24 +430,24 @@ void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
 		dst_analyzer->ForwardStream(len, data, IsOrig());
 	}
 
-int TCP_Reassembler::DataSent(double t, int seq, int len,
+int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 				const u_char* data, bool replaying)
 	{
-	int ack = seq_delta(endp->AckSeq(), endp->StartSeq());
-	int upper_seq = seq + len;
+	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
+	uint64 upper_seq = seq + len;
 
 	if ( DEBUG_tcp_contents )
 		{
-		DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%d upper=%d ack=%d\n",
+		DEBUG_MSG("%.6f DataSent: IsOrig()=%d seq=%"PRIu64" upper=%"PRIu64" ack=%"PRIu64"\n",
 		          network_time, IsOrig(), seq, upper_seq, ack);
 		}
 
 	if ( skip_deliveries )
 		return 0;
 
-	if ( seq_delta(seq, ack) < 0 && ! replaying )
+	if ( seq < ack && ! replaying )
 		{
-		if ( seq_delta(upper_seq, ack) <= 0 )
+		if ( upper_seq <= ack )
 			// We've already delivered this and it's been acked.
 			return 0;
 
@@ -472,7 +456,7 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 		// packet held [a, a+b) and this packet holds [a, a+c) for c>b
 		// (which some TCP's will do when retransmitting).  Trim the
 		// packet to just the unacked data.
-		int amount_acked = seq_delta(ack, seq);
+		uint64 amount_acked = ack - seq;
 		seq += amount_acked;
 		data += amount_acked;
 		len -= amount_acked;
@@ -500,16 +484,13 @@ int TCP_Reassembler::DataSent(double t, int seq, int len,
 	}
 
 
-void TCP_Reassembler::AckReceived(int seq)
+void TCP_Reassembler::AckReceived(uint64 seq)
 	{
-	if ( endp->FIN_cnt > 0 && seq_delta(seq, endp->FIN_seq) >= 0 )
-		// TrimToSeq: FIN_seq - 1
+	if ( endp->FIN_cnt > 0 && seq >= endp->FIN_seq )
 		seq = endp->FIN_seq - 1;
 
-	int bytes_covered = seq_delta(seq, trim_seq);
-
-	if ( bytes_covered <= 0 )
-		// Zero, or negative in sequence-space terms.  Nothing to do.
+	if ( seq <= trim_seq )
+		// Nothing to do.
 		return;
 
 	bool test_active = ! skip_deliveries && ! tcp_analyzer->Skipping() &&
@@ -517,12 +498,12 @@ void TCP_Reassembler::AckReceived(int seq)
 			(endp->state == TCP_ENDPOINT_ESTABLISHED &&
 				endp->peer->state == TCP_ENDPOINT_ESTABLISHED ) );
 
-	int num_missing = TrimToSeq(seq);
+	uint64 num_missing = TrimToSeq(seq);
 
 	if ( test_active )
 		{
 		++tot_ack_events;
-		tot_ack_bytes += bytes_covered;
+		tot_ack_bytes += seq - trim_seq;
 
 		if ( num_missing > 0 )
 			{
@@ -602,20 +583,18 @@ void TCP_Reassembler::CheckEOF()
 // Deliver, DeliverBlock is not virtual, and this allows us to insert
 // operations that apply to all connections using TCP_Contents.
 
-void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
+void TCP_Reassembler::DeliverBlock(uint64 seq, int len, const u_char* data)
 	{
-#ifdef ENABLE_SEQ_TO_SKIP
-	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
+	if ( seq + len <= seq_to_skip )
 		return;
 
-	if ( seq_delta(seq, seq_to_skip) < 0 )
+	if ( seq < seq_to_skip )
 		{
-		int to_skip = seq_delta(seq_to_skip, seq);
+		uint64 to_skip = seq_to_skip - seq;
 		len -= to_skip;
 		data += to_skip;
 		seq = seq_to_skip;
 		}
-#endif
 
 	if ( deliver_tcp_contents )
 		{
@@ -640,23 +619,21 @@ void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
 	in_delivery = true;
 	Deliver(seq, len, data);
 	in_delivery = false;
-#ifdef ENABLE_SEQ_TO_SKIP
-	if ( seq_delta(seq + len, seq_to_skip) < 0 )
+
+	if ( seq + len < seq_to_skip )
 		SkipToSeq(seq_to_skip);
-#endif
+
 	}
 
-#ifdef ENABLE_SEQ_TO_SKIP
-void TCP_Reassembler::SkipToSeq(int seq)
+void TCP_Reassembler::SkipToSeq(uint64 seq)
 	{
-	if ( seq_delta(seq, seq_to_skip) > 0 )
+	if ( seq > seq_to_skip )
 		{
 		seq_to_skip = seq;
 		if ( ! in_delivery )
 			TrimToSeq(seq);
 		}
 	}
-#endif
 
 int TCP_Reassembler::DataPending() const
 	{
@@ -665,20 +642,28 @@ int TCP_Reassembler::DataPending() const
 	if ( skip_deliveries )
 		return 0;
 
-	uint32 delivered_seq = Endpoint()->StartSeq() + DataSeq();
+	uint64 delivered_seq = Endpoint()->StartSeqI64() + DataSeq();
+	uint64 last_seq = TCP_Endpoint::ToFullSeqSpace(Endpoint()->LastSeq(),
+	                                               Endpoint()->SeqWraps());
+
+	if ( last_seq < delivered_seq )
+		return 0;
 
 	// Q. Can we say that?
-	// ASSERT(delivered_seq <= Endpoint()->LastSeq());
+	// ASSERT(delivered_seq <= last_seq);
 	//
-	// A. Yes, but only if we express it with 64-bit comparison
-	// to handle sequence wrapping around.  (Or perhaps seq_delta
-	// is enough here?)
+	// A. That should be true if endpoints are always initialized w/
+	//    trustworthy sequence numbers, though it seems that may not currently
+	//    be the case.  e.g. a RST packet may end up initializing the endpoint.
+	//    In that case, maybe there's not any "right" way to initialize it, so
+	//    the check for last_seq < delivered_seq sort of serves as a check for
+	//    endpoints that weren't initialized w/ meaningful sequence numbers.
 
 	// We've delivered everything if we're up to the penultimate
 	// sequence number (since a FIN consumes an octet in the
 	// sequence space), or right at it (because a RST does not).
-	if ( delivered_seq != Endpoint()->LastSeq() - 1 &&
-	     delivered_seq != Endpoint()->LastSeq() )
+	if ( delivered_seq != last_seq - 1 &&
+	     delivered_seq != last_seq )
 		return 1;
 
 	// If we've sent RST, then we can't send ACKs any more.
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index e3dcf82a1b..3dfe75bf10 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -4,13 +4,6 @@
 #include "Reassem.h"
 #include "TCP_Endpoint.h"
 
-// The skip_to_seq feature does not work correctly with connections >2GB due
-// to use of 32 bit signed ints (see comments in TCP_Reassembler.cc) Since
-// it's not used by any analyzer or policy script we disable it. Could be
-// added back in once we start using 64bit integers.
-//
-// #define ENABLE_SEQ_TO_SKIP
-
 class BroFile;
 class Connection;
 
@@ -48,12 +41,12 @@ public:
 	//
 	// If we're not processing contents, then naturally each of
 	// these is empty.
-	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack) const;
+	void SizeBufferedData(uint64& waiting_on_hole, uint64& waiting_on_ack) const;
 
 	// How much data is pending delivery since it's not yet reassembled.
 	// Includes the data due to holes (so this value is a bit different
 	// from waiting_on_hole above; and is computed in a different fashion).
-	int NumUndeliveredBytes() const
+	uint64 NumUndeliveredBytes() const
 		{
 		if ( last_block )
 			return last_block->upper - last_reassem_seq;
@@ -64,19 +57,15 @@ public:
 	void SetContentsFile(BroFile* f);
 	BroFile* GetContentsFile() const	{ return record_contents_file; }
 
-	void MatchUndelivered(int up_to_seq = -1);
+	void MatchUndelivered(uint64 up_to_seq, bool use_last_upper);
 
-#ifdef ENABLE_SEQ_TO_SKIP
 	// Skip up to seq, as if there's a content gap.
 	// Can be used to skip HTTP data for performance considerations.
-	void SkipToSeq(int seq);
-} } // namespace analyzer::* 
+	void SkipToSeq(uint64 seq);
 
-#endif
-
-	int DataSent(double t, int seq, int len, const u_char* data,
+	int DataSent(double t, uint64 seq, int len, const u_char* data,
 			bool replaying=true);
-	void AckReceived(int seq);
+	void AckReceived(uint64 seq);
 
 	// Checks if we have delivered all contents that we can possibly
 	// deliver for this endpoint.  Calls TCP_Analyzer::EndpointEOF()
@@ -86,35 +75,32 @@ public:
 	int HasUndeliveredData() const	{ return HasBlocks(); }
 	int HadGap() const	{ return had_gap; }
 	int DataPending() const;
-	int DataSeq() const		{ return LastReassemSeq(); }
+	uint64 DataSeq() const		{ return LastReassemSeq(); }
 
-	void DeliverBlock(int seq, int len, const u_char* data);
-	virtual void Deliver(int seq, int len, const u_char* data);
+	void DeliverBlock(uint64 seq, int len, const u_char* data);
+	virtual void Deliver(uint64 seq, int len, const u_char* data);
 
 	TCP_Endpoint* Endpoint()		{ return endp; }
 	const TCP_Endpoint* Endpoint() const	{ return endp; }
 
 	int IsOrig() const	{ return endp->IsOrig(); }
-#ifdef ENABLE_SEQ_TO_SKIP
-	bool IsSkippedContents(int seq, int length) const
-		{ return seq + length <= seq_to_skip; }
-} } // namespace analyzer::* 
 
-#endif
+	bool IsSkippedContents(uint64 seq, int length) const
+		{ return seq + length <= seq_to_skip; }
 
 private:
 	TCP_Reassembler()	{ }
 
 	DECLARE_SERIAL(TCP_Reassembler);
 
-	void Undelivered(int up_to_seq);
+	void Undelivered(uint64 up_to_seq);
 
-	void RecordToSeq(int start_seq, int stop_seq, BroFile* f);
+	void RecordToSeq(uint64 start_seq, uint64 stop_seq, BroFile* f);
 	void RecordBlock(DataBlock* b, BroFile* f);
-	void RecordGap(int start_seq, int upper_seq, BroFile* f);
+	void RecordGap(uint64 start_seq, uint64 upper_seq, BroFile* f);
 
 	void BlockInserted(DataBlock* b);
-	void Overlap(const u_char* b1, const u_char* b2, int n);
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
 
 	TCP_Endpoint* endp;
 
@@ -123,9 +109,8 @@ private:
 	unsigned int did_EOF:1;
 	unsigned int skip_deliveries:1;
 
-#ifdef ENABLE_SEQ_TO_SKIP
-	int seq_to_skip;
-#endif
+	uint64 seq_to_skip;
+
 	bool in_delivery;
 
 	BroFile* record_contents_file;	// file on which to reassemble contents
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index cac18bfa3e..f52fadaebb 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -223,9 +223,10 @@ event connection_EOF%(c: connection, is_orig: bool%);
 ##        corresponds to one set flag, as follows: ``S`` -> SYN; ``F`` -> FIN;
 ##        ``R`` -> RST; ``A`` -> ACK; ``P`` -> PUSH.
 ##
-## seq: The packet's TCP sequence number.
+## seq: The packet's relative TCP sequence number.
 ##
-## ack: The packet's ACK number.
+## ack: If the ACK flag is set for the packet, the packet's relative ACK
+##      number, else zero.
 ##
 ## len: The length of the TCP payload, as specified in the packet header.
 ##
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index d81f90d840..400f38839e 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -140,7 +140,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
 	}
 
 void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-                                    int seq, const IP_Hdr* ip, int caplen)
+                                    uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 0da007187d..68dfb8bb73 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -19,7 +19,7 @@ public:
 	virtual void Done();
 
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new Teredo_Analyzer(conn); }
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 4c26ae5d99..36d5831a6a 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -38,7 +38,7 @@ void UDP_Analyzer::Done()
 	}
 
 void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
-					int seq, const IP_Hdr* ip, int caplen)
+					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	assert(ip);
 
diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h
index bcfee401b0..792f83de8a 100644
--- a/src/analyzer/protocol/udp/UDP.h
+++ b/src/analyzer/protocol/udp/UDP.h
@@ -28,7 +28,7 @@ public:
 protected:
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					int seq, const IP_Hdr* ip, int caplen);
+					uint64 seq, const IP_Hdr* ip, int caplen);
 	virtual bool IsReuse(double t, const u_char* pkt);
 	virtual unsigned int MemoryAllocation() const;
 
diff --git a/src/net_util.h b/src/net_util.h
index e5dbbcdae2..0f34335267 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -119,7 +119,7 @@ struct ip6_rthdr {
 
 // True if sequence # a is between b and c (b <= a <= c).  It must be true
 // that b <= c in the sequence space.
-inline int seq_between(uint32 a, uint32 b, uint32 c)
+inline bool seq_between(uint32 a, uint32 b, uint32 c)
 	{
 	if ( b <= c )
 		return a >= b && a <= c;
@@ -128,9 +128,9 @@ inline int seq_between(uint32 a, uint32 b, uint32 c)
 	}
 
 // Returns a - b, adjusted for sequence wraparound.
-inline int seq_delta(uint32 a, uint32 b)
+inline int32 seq_delta(uint32 a, uint32 b)
 	{
-	return int(a-b);
+	return a - b;
 	}
 
 class IPAddr;
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
new file mode 100644
index 0000000000..c76f4dd03b
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-04-09-16-44-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1395939406.175845	CjhGID4nQcgTWjvg4c	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	0	ShAdfFa	5	272	4	486	(empty)
+1395939411.361078	CCvvfg3TEfuqmmG4bh	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
+1395939399.984671	CXWv6p3arKYeMETxOg	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+#close	2014-04-09-16-44-54
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
new file mode 100644
index 0000000000..b8b9bf9db1
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/files.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2014-04-09-16-44-53
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
+1395939406.177079	FAb5m22Dhe2Zi95anf	192.168.56.101	192.168.56.1	CjhGID4nQcgTWjvg4c	FTP_DATA	0	DATA_EVENT	text/plain	-	0.000000	-	F	270	-	0	0	F	-	-	-	-	-
+1395939411.364462	FhI0ao2FNTjabdfSBd	192.168.56.101	192.168.56.1	CCvvfg3TEfuqmmG4bh	FTP_DATA	0	DATA_EVENT	text/plain	-	150.490904	-	F	23822	-	5416642848	0	F	-	-	-	-	-
+#close	2014-04-09-16-44-54
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/out b/testing/btest/Baseline/core.tcp.large-file-reassembly/out
new file mode 100644
index 0000000000..dd3960bdb7
--- /dev/null
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/out
@@ -0,0 +1,11 @@
+file_chunk, 270, 0, drwxr-xr-x    3 0          0                4096 Mar 27 11:55 .^M^Jdrwxr-xr-x    3 0          0                4096 Mar 27 11:55 ..^M^Jdrwxr-xr-x    2 0          0                4096 Mar 27 11:43 pub^M^J-rw-rw-r--    1 1000       1000       5416666670 Mar 27 11:52 rand.txt^M^J
+file_chunk, 14480, 0, TCf8ZQLH67eBQks8SjFaumquAt7f9eg6GNvyLgvdbRl4QShP5o47kdBupR8IxbCz^JZ1sR200ZDSWX1TeH7UVjxBg+eQ8YpmUbnjqePKMUBbb0uq6tDGYGauJiZnSHVNez^JVZmm+pCPVdIGyWe27Xgub9s8PyDBjVD3amDxvoFb8ad86eTDcrzuPZ0/iFP4CnDY^JHFLAvEbvgBVuKTmveyUjmis9nRgvjaeoHhBV7/XtC6fP9ayGCHqJIYs7pGHEm0hi^Ji95bgfyFCEB2hBvwGGNQStTigpE89eURtsmxnK+I3Hxk+dyBQjQ6hTxQlwmqZuto^J/ZMEv8KCfrZUtTh4s3l621DN7wRiUbgltFXAIoaWwc5YACR65582L9aEX86XVNXt^J8IfLL0klmNgaRO49b1He7exMUA0UCUY9DFdFfqyt2hMoPJqEfm4nRH0x/xQs5x/G^Jq5K+JPJtkyxvqI7AwMSRaN+k7ez12fZCwzpPIU8taS++y0op+kmXsPaTSJpPe8Ev^Js1XyutkfH5OPmrt413q80e4UTlV73zGs8XMBO+VL+Jb+0IUNnmiyWzqIuYokI9RS^JCdLbWCdLGGb6+k76rY4oIDnUbAP7YCDdr2s3QZ9aLMNaSpuyKY19WNzNbw8cI81O^JIuTY6C3NzXMItjWriqAzmMl2AXztrPZZ2GFhyUy1Hwf4DufBEVeDMvhVd+WlfzVn^JlRdy8Os5X0ULPhFDmej+1igX/AD9a2Yf26vqak8AUvLbJciJWFZp17sZYXus6zos^JR17iUaq63Mfl0dk6wnktVLIGt6EHBYb/oJ65ZGLMuFSDqv+NvVhuyNd/IIR4tUKO^JqNVH/+FHHqjbpZQvFHSTqOGA62rb1AecBRnliYKjRTsg7u4/HI+v/jwPnp89pntJ^JkztVIkc7VVG0GhvgnKFjmV+bVddG3UpB3juIVMJwcFOFnQNzF0hm7oDdfEYXEUht^JW/TCpIox9O+VQknCTo4iZcZOOXGkEYRc11C+P2WPk46b2OER/l8agJPG9qS6Yf35^J+ljLAVFNgW12iqiqCYmfQM6z1l+6RIo/DlDSALbhYjTV9CG02WwyQiG4WpkAHnx+^JiaSwwrKYCklvFoUtisVGfV19rTo1HGGG2FFo5oCY4BPmbIQWidTXJtA1JkHsni5R^JPlG8elgJkTJJKkzdwAh5V0UL+m1y2zH+NyQHFzj9zunB0g5QEmuYMt18TvXy7D/W^JkgJbWGvDCKY36ZKVhWTTqsgQ2xecH+vKBaCF4IofA0joodZzBv9GH6UOSkhTML57^J5BRbLoPr3IqbTAx7PFlixb+fIur2UeUo+RYZeDudo7HmvLBnsGFw0K9rBVNg1D8C^JwcO4lpwxZEPsLeqKChpHpQugpkfSnC9B2/Oywoep2FAI2OL4zL9nOWb+QnE8kibe^JmZVCAm6p2qnr1nfKMUP2YWKbTeyowi6dlS9SfQdzc5+a1Asg/+S8ZWOPDJGauS6h^JNrfV2HRoHwYmpqvxN3/8A7vkF+rPgx1yeGHK0mDVn4F2ke1E+r5e1F9IZzM90EkR^JFX1hEcNcqzPX/rerGjD6WNBDdoAvmsth8mrcsIf0iq/yvNblB9R4Vg1+bxHYOXYf^JE70vkvtaSmWCQ5gi19SYK01XR42Jnu+cnUtuCr3P2relXC5TjBqz3V2CO3St9tX/^J8sdKZWDc/kHAQ5uVZAIonoVp6Ffeu2Zz3B0NFjJj9hyJtLIJ+Qg2Bru0YeplIIQz^Jw8WXZ3xHw7nN2pIMRMkef8pAoonGsrUySUhhSjEMZCYDXvWpTSrOwm+LRsyJ9czy^J4kUBxgoiCdxGi0NpljEzvrj27ElBmqa2E/bOoK39ff89GSBvXeHw6NVrrDZhEFrU^JfnALNwjCGdxCrkPm2sw03cdsPRVO0yQppyYbT8MhWuzlq31VGps+EiwfpU+jHsw2^J7CuI4qC/n6yui5irPTV+GJmS900rfqCDab+PW6XJ82rGAN1lvV7+lz/x3lGcFCux^JUudDhQANxzHwTQGmwJeR4Fk+PGTAvQoWfgN+21hgPgIW4Yug1uKtL5IOK2rRVMTf^JljjxQ8FlEfZLdLZgiOOHnpioRz4n/SbcSMw15i9GHMmHE3wOmV7En11vBFPmUcYb^J+d2UaodnxE6psPmSfawBFI6TNT9fKaZchANali9OdFieh79e/7mox79DrzX4tuQT^JNLs1nj0jb+4Tm+LNqkJ5cvDkyFds0FbBd3CblDHNtdkIcSVj3TpkYz1wwYYogt7r^JV6wVmRQ09dhDmRSM8kVinGhVudTpBRH6+F922anxF9exYYKfYi7M/ODjuQLRCK7R^JwSNg7BDBVXt/Q31ryukAzcE5UtCk0LSlci02B1taq2Bp1ChFDpSzaqeshwgCQvYJ^JVLBPFdy21eqa8IQwXZ3wU2TEiGgJIv3k6M07uSDMCJF8/IPf7KmmOy/dotWXWSCe^J9FqYiGMYW5KRrTZnknhS2JYhC4iIHqlGYFYd5cSm3dtx6m1Y4hmqE4+JWRDK2I/s^JCkDbfOvU8UwES3k4tHORdqDn/b54EdEbnG06hfcg2B5FEg7cr90Qjdh838ldIcwG^JI0k9UewaVjjPL1dG585WFMQa3bZChzNN25kRGMQP24BGvA8wuKDseza7rn1dmrYw^JCRSsA2U7gNy96DKQFQX6Ga9uT9OCW+Ukvq2sejhL5cgiqZ6xZpV3WCFlFEjHEZDU^J/Jcaes5cbbkWLHe9PXwlLeCArWkwsrwhM/zS2vWN9xnvPzyYAaDqSlOPNeyBYW0t^JwEca4eu9Kg7dLNrZ8S6tEECdpor+9EAU6T8o60s20nUzmqG96yWhdl1mns+IHW8N^JwJ9u1uYlEKoAHPVdYY6MnWToAxH5KI1OaEfJ4He929/QGkIso6gRRyWlF2shqR+W^Jx74nIGsLeou4Ao8WGVjV0aa1qZiNw5KSB5QB5UuKlmTWG/gdk1APdsmudyg+Vc1T^JAXLdMwj7uvngrIZxFxqipXnWB7FPC4yzeiPu8qOoestmuqkhkD0FPCW5QFhk965F^Jxm9fqwgJPsjBTC5YTB2LOfTO5ZYdJiPYQmETOOe4a9ztL6HwQ2Y/zxc7GD4AbwQp^JM/AbXtIaCYgNkeG9vkJaLn6byDwdmJUZGHHNVjZca8wV6+YlboGrAYrJbX+ndyqH^JKquD7o1PkJTO+4H04lDmYquf/fRembQ51YGyVQaNqbLF1mbyfVd/lc+JJICTVT/o^Ju4+9yTKOhJG2Gb1DmBG+jOIuZkGv6m9CqZYfKTtDv9zwkUeNHMGcAX6n+TPc2WPI^JsBSKIdYnzlvRCMI9BJAWoNej5yQzzfCPlXd15Og+SK0mfM8+44iDRv/051rLVhcI^JCxQpRjq/NdINYF+WwwDoN4VlpPXLZkw1+qYoSHdstDiHv7uhRgP+cEbZXH8mDpe1^Jkj47aUHCLiGP8u1UgRXGH8A0jFp5yPEFU3SBePIehSZZynNB8u04mRpXc1kIlubA^JqnhGKpscdIZnO7KB7pQA2qF+s1I45amehPIBDBzbaGkMJe2Esqphgh3Rk695uPDm^JQM7JjrfhBTlNXxoxC48WdbI9+xzhTavuwP4BhUNADgDel9vxs+HkT1rLR907NaN1^JxWJdo2bsRFNdftSKf2XCthor9VHwOmyU0XI2yeVSxu9hdA1jK4M4C7fmRrQrwuoO^JS6fTlgbMeTey2ZHrJO/iDT+9sGfgT/oGDXYzZrbaFbiBRj5HLweXE+rAyIG77yUY^JZEqkeh1BA1KHSxqhXmkrYr+ambErzrQHIr6fTujmPVc5W1kIZEAhMdLDJ8U/C1dL^JjqjEA/VyjJr8A2gELABBiATb5ro485x/GdUHgOam0sYpHqG4wmsxnM8iVuxbwlS5^JC9z/MjVvBoLl83/YZjG1jfRLkaX6wzWXuSeybIDk7TilDwAdeFAbUfgEqH5xnXND^JPHnSaA8yOxba7kpuRDWJebGb2GPxiP6u0Wk8iXd3jnSJdE3+b69SXzgM82Wht6NH^JFkBEQWf8hDu0pAhxxU32yPCrLoRxCpl/K/p1cL01xtzDbj5Ncfhg5TbYYUyRw2UN^JSHQ46bN/ozKIQ02T+bhA7Z4BVjVw3Fens8jbZX+Z5ClnEiY5q4g+hR6estFTli3z^J0bQBij3OB0yseeOCcyLt9ZpepxQwgO6BNvecNuNtBwEq/xCx7ESzX3N7dVZAjWKE^JdyjbFMIPKMfIMlfU7wvuaxiyWkbVsBcPDPcyLja3qzO85GZgh0Uln+mCModfqZc/^JcplyVPYQBIFXAViGIFZONpAOWC29fy4j0uRsNYKKhRv6fSZzVNbVgeljKFwTCAXu^J8CtcxnpNOTYXuGZbgISo6oHxCy+fIK1Q14eaZepMWWYT22kWR7FlN4BOLcj50K/Z^JBxpcOexNb0QreketOWPWfHflY9YxB07ykX6djOH9ZOlITbZ0c2BMxfJxOaaNbidn^JX1Vka0i06Sk2iFw2MmxHJm5zwN6Ln4S9hCrwaPCDkmXOCoN0pr1jt9teBBA/LkDG^Jn+rp2U4CwSAtJy690+HlZ+Ni/m5QkchnSsGuYXeBE7feao+dBTJ5hyFpMKjjyOS3^Jf+vZkyNxOzgugBnQ5e0suK46y5GhpbrmNIbP8lJn04B6CFe/lidABVS50GK5LqCD^JtdtAyr+6LD0PCJU2pJeqwePqlbQmA5XZxOW1vJVNQJ4EEJfcJj8Ha2hynAOQaiT/^JAXtlD22EXutFfFgFBgkFJZ35+nO4TuSIawad8xkIBnpMX87wpp4nVi3aWd4sMr0o^JyXWSHcd3Y+izqfXH/6BqlUeXNGQjLlj7biMCosz3iFBRhOvUK1a5r90ZcVy+8+Ty^J4qT52tO7+bQOngxBiwqpnvKAONsxFFHWgR7/LjYbYKtgtq+1ibACiaSzQg+IVFP3^J1V7aZb9fZP0YBvbhv4JxdTXxFfJ4knugi+5mmm1PIyznXWnsWOEbYEnZV4dZIq5M^JQqBIYxrS+aWnUyE8DTsXqDUwVL/rBjbhK/1RxNT+mzHG7Q/phD3y2d8ysHlmAWfl^JDGZbZ8+Plpm7uhj/fK6b6FqYO9qJYoTSesyEsZ0Pfjb7uMrYjSbRyRg6yTuV3Qe+^Jjz+g9Nj63cFMlXVlvaBZgwu8giF/SmdkTM48IVc8BkeMJlPg0fnqcEbEgnMrYBsG^Jv8FdEUWTWvzoDFCiQRFrSnPF8GIBcwgrxN7wGqWexfQlzQsQ9XbJlACIwKMLzh2t^JQTr0zs9g8yAk9SQMahWtYJG4IPdAI0mH9dBSYzt0ATxtBe3NpAhrewtcNqTBnII5^JhUcSoygg4JGCBjxZpxle7/anr4CBduMHcAiL9JFCcWb/cg8uwFPm8p+Ddsz+e3ir^J5WZPHa8uXRupG0ZIY3kQXebizwq6aULjDSFy+ggEWHlkGHIAUYpvKXmCiQAWiKiP^JeBSIUBicoJSDOkf0xo1pvC+yKnjlYXhJob3YxuiKoYH6guAz/OSu0Yr/Y+w8fY2r^JmvpnxCwaLbjmYG/ihbaXtiic6xXYjb+OQKfrRywvDQ28UKoLj7lZ0rZfBPPjqGvv^J/qFSiqKvgDua36DPiFy6UO4D2747V7uZoXtWJQEmSEJZOC1NEbyhztzIksHVcT8Z^JKVIHWPyVa69yvmKpIGgEqE92sEvgrKpbeH3xJEekHPkDpCtojjVGJ1Vm2/OrNitV^JMWha/HsUn6obKV7MYIgSIH2BQfs01araaHR54nKL1PmwHvTnYKo7BY3IKxFsDVq/^J/QQWyib6DNqYagd8+jz8tgG3m8/RX0ZO3V8wLgpPNXgXruBIdaqimwPYu6Msstuc^Jj9tPBWiX8XVhrrtoTg7bV2L9rlOdVY10amL4qfcFFjtlbce25vXRwr+DO2En/lqR^JDUngzYLwMTCCb5fEQPPIh/3/paYE+4T1eYQE5WoIO7OLaryzHXqWR1TfWEKAm2gx^JZvlf1Gtwlnuy+Qi8s7TG2/uGg6GqlS3DnL1ryzntYO+7J41qJw3u3Kiv+AhO23eZ^JgUhR5E9InJ4kPQ+g5TyB0l/nAIS4ztOXvAgXDOa0YnkJYlHEJry/UlRGCijyrDr+^Jlumbv8YtfhzX3Px3ufUYVxhW+utGUI24AVKpUf4FjlX7ClDulSGVdE8AxHNZHK00^JpjAPL1SigMdn7Y8xym+NG7XIcHadTc0HW4U45wAZBICwE5Q60vzCbNIEqy8luyAJ^JaTMiI9W9rL0Pf7mkoSZhmfdzdQ2+CV+m0I4EapkS2kBUGOUdyVm51lmsFLGsAtnb^JRlKhBOnSB9tnLy7u2bXqju6c+BW97DLB1mApXC149/KBbsVpxxC8B/WKmDMnFwgk^JGuRP7bMBxZTamnBUFoFazFFUf/JvhG/8ZRn3bn9zcpBVmK65p/6aua5oIEF8lHQJ^Jj69dCO2JnECvpuuLmPzX0KITgnsXec0jKMbkujHsSB1q0WzO4roQCP33d7QhWbb9^J93xNd8S7vWs+jENQ/d+Sab4bIsEAZzjzRhBd6Z2Y+2e0lL4225SjTlQV0rTK4hbI^JV26RP3ooaA2cl0dMZ4n7L+kMKh83wRvHxV0oD218YzsVZZk7azUr+6L4KvzOU6Xf^JFQDP05ykX6k3Ix7Xg+aoIUvThAU0hyYxn2aEcZtQqVtJ45FYym9/8mdeBbNlmI++^JZK1fC7vylUhO9comEAUWcAeIETXwnb2O0syp6ArLVPuTPF07OdpqY9g5ooje/vGA^JCOCF3OCghSfV4HmgHaMDbxV040bMyUrFwX+33QKg6H8tZr9H3FHoKSrn6D8viKyf^Jw1iA2H8fb8HSN2hHjlUFJZEvaYTnUWWmXTzwcNsAJGwpdilBZCB+kfTpHuc0j7TS^JbzbMh7eZRLBrPH/B8PGv3s+vG02KwKrBPRN8saDMRFlp3Y+dfYlycpVLkbYTiP0D^JdadaY/6GaX4dYrGNhHS0uZwcwUjSmaOniwgmEPyjwPmAN9DdNYR/d9cd3eRYEXor^JyJYEPiSt3OLT3Qn5+L9+dKnIaJs0CqjItKgoNAvmEACxdGui2T1G+TOVSupPlHwX^JYJaiMo99b0u5WfPefYXPLAO6yBXu1lKvLSPbyyd8epZY2i5Y+/arhEp99fJPt8Ja^Jfy9Kl1XWi2nDaDFhuV+26wGK/hasMdgkl4MpFR1SaZOTIHnjOI8j7DqqdZ3yE3xz^Jzvh+NYohCU4K6WD7nkkQydb3ddMHd12fdJvI0YRw/QmsRQ5N3BLMVhPYFhHuVHan^JHeyfnIKzmS9uaDiuSkx7c7or7fyLP93uDjs1w7DoMn1/oWWV8A+k/wNcw+TCybkd^J9ZZbX/5hBy+jdc4UuRt57B2cm/HWuVaM3zZngz9k01iy8R3xik+D8Kd4bfpO3Rfx^J/u3qB973X46IX9YkRi0nfRM+PGYvC62FaUArk7h5vxEuSuG6hDF2AtIfdsWSQv31^J5hL6I9IxT5vbhRK+h15V3rdTDcN6MlF6mwN72cLPsylxfR9jpUVW2ab+gL6/v7rn^JHgZeyYV9CpIBEelHIY9TMqCY8GeGQno8K9vvwugx2ky1yGoZ8fCrLZy4umRd9wGE^JIoqdDAlWqIpvqf675V4Db5s/y7uv5p7CMNCWh/APdpWvzlWQ2XgVQtecl6sAhB6J^Jh9XbFWh4dVAC/ftbzd1nxuqDNUBDZYR6WniWIuPZIDsv+mcxrqA/8uSDAKfCT+VQ^JZIy9aMLfli23hZOlayfOTzBrl4/cDgnw3fWMVB8WZEdj2GQqeGZu3upC4QdR0c2Y^JKDdkAh2ekhJEiNA9L2DnZXtxXcgKA4x6Ok1AXY2SIRpTN4UED2CWnqqA54Cg0s66^JpIWUZZrK2t+wKumRXkszD8+s0tpgqjCCjHLagzIB2jphatxseHVe/RE+Sp+Ooo6t^JKqJn7fFIL81GA4SB/qwinU0jV2pyW9naCTO7clu1d4BTAE2Kz9q54zp37BlKmcTF^JloBrygICa/NvtyinA4nqkGJKO75Q15eDEXhzW8PUMxZkNJzqUHY8QkifKkVmYp2k^J4VSZ7VObaui3sH8mc+uh0i2vlXNHJMOrt4taJ0SyWbryPXP3wxDxzo2gbyTlqPDF^J2JBSRPIGTTf4WeeN51j7ZrQK8zYktg1urhtBYABHdeSz3aIoE2qTR9U5lvNB/bCN^JwPN5Elb/grlAyD/d4k+d8Vy9GgKNq1nqtjI2uGqf4x69CSn7HH2Bfe6MUx0L70da^Jd07M4tkaFBMbOwen7rnP2T3nqmrikYWyyS1GXjW9Ts6UPF3O4UpL0ZaUsTwv2+F5^Jzc/IFns7Udyys8+sJnRg0EaFN/VnOk943VTWidbN6ezorOF5dBAPloXhcBaRs5jB^JeDta11oVC4PmOo55lwKMAMG8kyTps+tFFLJl+uXiYTj+pTayYPEk6d/zWp/wB/3S^J40VLs00fF+OeaguQ2bElfnXK9+HP0Hyusa77YpetVmIYAoOuySVcjsa5xS6MncIU^JEQdNnDhiN/MWKikaLzcaF7KTKtkaYzrs/Wx29n/eb+53xKKU5qwPCFQuGzwbcUST^JbbnMA0ucEYthm2//t2drRFQJc5vdUjr5wyjrAH00c1OLovXW+jsdvpQjYOBwG/OI^JlWOdt+aDoxwdz4mn9QXG3+9UjDpIYPj4XehovH++hWJj0fdiySNKaacOoNwVV6ty^Jl6MkknvVhYIPG5l29n2voBSYzMoBZmOvU1D9wG7y4rwPDC9K+5cIGk1Q7U3FzvBG^J2oOBgdrBa8VXwAZkC+PIHhgmEqRHvzAIhRLfzgNTwSXeeu8gHck8CD+lBWkayV1g^JKvsGRgQ8h89RRHo6Ky0L8XoCsOsEyb+m4Zsq6YeCceNV7DFCFw+GEzVvtLSYtFtr^JF08tKhpYZOEMSqPv9SUbcL/HtVl1+FRnTUe5UxDXrwVX16RvPaqFs15nJfFLqgDm^J3WFjmi7W4aIgSQUBUlEue34hTWPRpauluaAuKStu3xNoNm9aKfo24cPJsQdCIiMD^JuRL3FqyjNfZKo82X/OKqt0EYfK3w9ys7t0ewAO59Bm4eokdARepljfbHXy4X8+/O^JF5aguc6m74jgVoEPxdffprU4T7vXwVO8k3FmZ7+JrBsPRI4hTwVqRevgIoPYBpxe^JngSfxNNFscFYjbRIPcMlauvnwkrVnD48VZnsOpNszl/FbCNfolM19WCdLHCiIUPB^JiJA+ozEbiijt92F4hv+ALQksEzrgbrr48t1/YOK3WvZJrFNhKoQKpQ3JTWMnMoke^JOHel5uQez/iUSwNLxlnFaBRptfUgugdb6i5NkWxudWYAWJSoxHwQMUuE9NpTG3ha^JiFEPCIzX1FqXkZCnGyTdWc1WQwthefC3atUR2dSR0MeGhAbVpDputwB6gJB263mX^Jh0J9Gd1G8/6g93fM7AXHC3K67phaLmLHG2NkNH6Q2HnOw7BkRuhYuWhG9/v15ih1^JuhoMnEHvgnDke4C5FxpV6A3T0XaGJjfqre/4MAHELmXfSd+RlF5FR7ZnWNjPTL9l^JlnsqEXQ+DpsHFWfo0SU5tC5PBM//ZwozP45FOVxKEjk4z59tGZwg7wgJEZfEzjTb^JQotqYrFWpa8LwueJPbsPnFTOGDtIVPzg12Gg0s5mNTXv3LgyZjJ5Ot1aQUOeoMEd^JaYK3G9a92Hq/6ugfvlqtOe7uV2NJp3K6Kav5RI7di1K+4Hl6T6ohq0BEo1JU+BHT^JyWPSVqkrNIAYA/ShG3ipO8cV6MUcnlRzBgYvn7/fWpeAbDkXDNxYxmfmTIgUwMm1^JzUgAj8KNEjGc7NRIkIhD/taYl/H0dbBbGdlhzGQMu9a1xQ2w+3wQBo2cLywAAf+A^JsbQvkP3L7+8DJ8Ai76GSuA238Coj/k2WFLvGJCG53kNxydjZT9Q9NhP0/bwUObaI^J0Hw2mXfxhBn6+qNJN+hwktzS4zrgq8nbdLtPRvBYYbubYASw1ZUWfJy6GxmiT3OA^JOuGA4C+siVqQRpTAW4AyzNEwNgjw5Apxq790EwMC8lZhdmSbAdRvI4LUgZFKU7sq^JOGKF46fAxsgVcJI7JgpRB4LX7jOrSiqHj6BptA1fHndIrQ/6XTOzsC3JTnKKIXBC^JXAp3HO9zAas7llLvSRDmVR0NfBpjNwCeIFxp4bY3eYHKxruGylwelY87G73UoTmp^J7BpfYuOtdFXi+MfWzSd4hQsoxBiLbDbXL+OSMI2aegXGtMJMGt7NL0QYqqO0d+z+^JnvezoFA7xnqZou/M3Zjo/VABy/m1HBMdTU5g6G4WD+8aw+TDfvPK+Op4Lb7MuyxE^JSmPBxPaHEQYmCKMzOwGQEI/AH0mM5UTOLpfurfQ/FaQthUuPfL1sraZBV1uxWWZ+^JunTkttIUWlX1CF7AqN6o92QF4MpjZwn6dtU/WLmDm/j64CjlRifNP3hPL7xDXR4O^JfFU3aFO1AjB0Md0d4OnbtiBHd3xVtg9o2noglEdSEoboBz8ikZa1kq5vu3kgqAVQ^Jz/w+zhw49o9GDo583jLECbxOIrfMgxnv2RND/Etoc9XOY3U6d2C55GTzN5CwvG8y^JmObnT77IkD8PHKb7B4+zO40GWfsGdc1JwJ8VuetrEZKqxpyf3TtgPQ8gWkJt7zt5^JWjoZhrHI7opFo3uFDC23dOmVBPQkXzC8IyYcRT1B/Wh7um3X+ZXdUTyq1e60sC8A^JRNRy+Nd2OQkEH5BiCmunb+kvfdx739i5dLQWrIgvDFJPmfbUhyuyqDboxTMedNpn^JbebTEbrFJFxCwOLREtTWMaXorDnEd9X0YrxkkljwYUweiZIgOZu7QALj4G0an8EZ^J+i88NMdD+KONWySuZL8UGpuWMqOG5qpt8oMAXuNZgjnGu+dPmQ7PiTIftkIldgA0^J/mzOt31RkN/+YuL9sEHXfZPCATwqRJoWfTHYKRLjyvnKK8UclTAiwkgehUD8dpJK^J/f0kzIA0AaNotwMIY2S8h+2wAsDpTUmg+47izIoAiylX2Ek0kMLY/cMQp/pZJII+^JnSqLkbbJC1iJTkzzkA4Sq9BEwYHX+AQACfR1XSi5fQ1cwFl4oIftsFhUnrW1yIkD^JkqnvkFP21puNq/Cb8uKJD+qRTpePrke3+Q5cndY0nPI9S2PABdmPOPABA380EjtN^Jva499Dxgcuozj7C42DVdthSiedF1V/MZgWTG6CCdDZijf0/dEkxpMFDrdCm9gr9/^J0BzznU1hXXrug0xIlZ81W935KgcSwzT62vp1EAT5L8vZN57Oog8VTVTmTPKnOSo4^J/1YPJnTYkvBoW1YeHBSvJaik6g9lqtqUsb+aup5QoY2SKM/WMZIpHz0OUsidZywA^JX2GgunrW8R2jgYqi7icCt6soC0a/M1AeT2g6zAaGD8TI5gRZWmrGvqKZXFK1zkP1^J+1ri6w2Bothzg8tz1eG7Uuyu/jHP0ENz4DlfTawIRot55VHPh4dNiv2akdza0LUs^J7rdoa+ZIevf2jyvC7YZP46i3V4OHhdh8u8DLJFTpK4yzSSaFNpFJ0hurpyqwAtf5^JoB70MY69lVZwhuCn7249QbGZ7vc9aCBtWP9sx2kUHQG9l/WQ5VSrrsfcJqnw9AzY^JePk/Yv0O0LFIuHL8ZjkSNVfvaC59Fi7cRqJ7PKZDbFQz3cMfyaGs9NBE73EDv7lF^JOCCh8G/Ocg3EWzBkin6mnrvOy1hu4EDD7yQqeVS0+xHQPZICr9X0SKGXXUyvn4eL^J89+8cIACBlOecMs3pnrhlLIla790gySCmCybrwXtAfN1byomJL2wsQqcLeXiLAwJ^JgGXKTjJZXgRTq8qFjrqw1JBuqYo/BMuOAO8P175zbX97Nn5uy4YE15aBG/5GsDhn^JhhVhncMJUyJNyhj//PSDPvXWbDWD5TG58PZih6mhadE3Do6eRPfVVx8OlOsfLiHg^JHa7+s1aX/bX9+Ibng4khoSjNGYIIg3dmF+EZ0MUEfxmV2OxItlPCcxvK7850S3C5^JcOuJHqzzbJdz7J1/hAFs8z0w2ndIFNdf23jWZ/BsfaHhyjel2KEnrTpSVqSiOi3Z^JYxIiHk2EH+0VAlcmtbfFSreDi+1E+Mi1O3DMUoNZJpiPwJxGjPaBdM6yRACrByy8^JY4YRH1VBJ6zZcIiKjjP08csRizu1nfKOsalhmaMpPGCvPkDvKFIp2BJxDcpMU/Cc^JyyDmV57jx7BH3txuyIw/TQIDuQ/As0+37GW1t+n0hyuaG3LjjZRPM1oqR0svvmU2^JiuXx2lkuwcKcrvKcXYiueacKdkizP3SirDTsDsTejrbGLkIoFWg11vNl/AZ7KW8F^J3s6EwVAdSaVTn6kb9TE0045O1bTuu8DHbDbGJnA7u+4am7ToX0iSo1yaOOIEzhA7^JYvVoTDFsfKSdLtHNEO/wlXoYHBuOAQw093Z+2GAyWfq5y/qT7vh5FYL2WbF6g8xc^Jta6ebB9Rqno1xC2BTwgwJ6VPzpFS3r8ArWdelq/0GCHIj/6x/2AfXQX+mvbE77gE^JMEHB2Qo+tZQCIqAnNNuaAjbBHuvLSy3c+sNYnvJoyzQ5yK8+gdtbJethaaWXk7jI^J4PU0t1LamlEWGZMKISK3zn8pfQAdh+ozYprnaQsqYjSBUsb3SAsI1CgVMSd/p4iW^JZdeA2vt35dsm3JaJNIrbk82AP12PH1DQW84zEee4+ljsUmnNnocNAyTqfkjTdRCZ^Jm5m2kTijKb+72KH5qnMRIMJHOZJ1etLLWGxGPwQ6ZcIW1qSkisv3HjjTkKGaHiyQ^JCBViKUVCZ70DAtEhdxnt4We4AqkHLF/HQKkKixTiQyYmmuHGr0NqOaNxcG05tPZ+^J4mBbI97OnVszlYi3XYIvd2gll/+KCrun3yURvzVML6RrnqPwnGeLyGoFpqvvUSji^JVi0S6tgNKEA1644bmTuWP9zszpKVNRH8mbgVMpxNN+830CbqiBZosE4TuP36D2Ug^JLq265sflRY62rzGEI/EsJ2L47t7waTIQk3sxIzR70mZlJqchH6VhnfTk6S2Xgrv9^J6cMZxvVtAeSCsXAi5J9wgdso8z07jgRvzPG5Lzx6ILVEKE2sJQdxaleHFAjY/fXG^Jdb4vLk3NELU4zh4iNgB77XshiNeeCoYp3a9TipOrHCPj5txwICaUeaE42auHkdjb^JQSBABJwLOd+bXZWuQpFqZ8j9OjXC6q1HZi13VVreLhsD2yiUjhQn00V3d8gEfPFv^J045cUboZlWsU110UV/7OLDke2Vvd/gTp9EAb62EPAR7W8kRA2gfYbxoa0LqB1zK4^J9H6Dbir4dd7WOx+CfQD/LbRVWUBgL8E5Kt3WhAFkb1Rtnzs0fVAijk/bauFIadLT^J5wKK6nfjv73wYAKbwkw6+Rmo5Ki86YjF5VgFbjtYwcUvN9xabNl7xh9rtdtyq/4b^JkhzC/jwyg5pvg7p8v/q8Mbm7wY9Xv0fZxYaLin+tcq150yNycwmxoO4oyEXLx8NK^JTrmZKIGbJ1MiFmh/AuB1kMoZbDy37kvOs0yJjl0fA2SuSlulkFzWekmuLnVfbZJF^JvhLRPdpM5OY55IY62ICkRAnCX+j9/i5jx0BSSfmB4Yhh63szrF6slKZfITssSAkp^JhdaAyfAhBTu/APBF2GgEh4BiL2fpK8a4LFZtSZWIqwHa4bmWjyjRJBuvK7GjbLeg^JDnCuPPdNOwfPeuhW2B8h7FM8rEhwtJIysP62lpNuIeD876yB2uCsYYvnIx6Sx3qX^JhX+2xkF5p5vh6sM8WnnZqbVN9lI/5ru/sghlopPt/mUMuYcR73ja9odPtYCYbZTa^JK/oCCS3lu6BFmyCsHOUgn7Dn8mGsorOdzfa/W6/Es4AgtqPS3VynrTgt/nKUULi0^Jez0yIkIOHqYkl6DrmJIOXrwwxqMgSrTe0vvrOdTifQaDF/MTgfHp1+xuEpi3Xgzz^J8gKRAPIgMJkm44YPlBRRfYTzrFYPGJxeMe4CnL6NgcN6TCE7Y0aOvpbgBw6/JZd9^JqC1sLRbKuUkkRzzN0T6LcHX95RCcL/9Lp1RKqaoQnX0wZhskLkGz3/L9rDDtLeAM^JhTYExb6VAciL9a9oeOTJDXjJ2MQGjUVAHjouLLtFJLdmrqpc+tUFB2L5IW/ZgP1u^JHcmlIa2m5lxxcFHdYRo8FVtM8avDhunvmtMaYL0LBP1HmHr8xl42ICSqASRPUw8t^JE0siS+GwIdM/F2X2NH0sz/leTvVVl2iD7suRUHVk0vHa5+lypZcCSQ9qvp7mXIfs^JmOfwRNn8VT4UHRi1gjsEwXEUyLXPxOAq7MlO714gWtZYWiXJXnDVPL88Tai1eMz3^JVrzkpFUTW5DtNiRRM4DbZMtjcv0J+tunLbrHvVRaVYKnuwZlFL+6X+Cr0BzmkOoL^Jxm+8Gf8+Iih859+rRj8/T7lPV+S87zQAUcXXTiEvJrl86DJ9Kl
+file_chunk, 752, 380370192, GsvqfXiJ4np0khHUmapJNPmJQKa0luEG6FpCzgp0Dyl47QbUHksinrhMu^Jo8584ANcgv0sVUAruYbHZKqWHF1iaF33J5moGutRzOir5TpCwsYtUJTItLPqAigi^JUZIpKxPbO1Qu7ogRR+m96RRQWPGMM0gtauwU8a4i920bBrETqumRuEBs11GgfVBH^JZAc44gk8Dg0YmuX2XnxxWHxqQkVbpHoDLGzeFh/3DkQ9xmAFWktrZHoefkUFgJ68^J1JG8ovCJUheKpSkhI7xcm/OLvfXpVZMatajQGo+4pCA28fQ7SlO0NJuQQUB1Dl9H^JYKuqg6sXuXE3n2BtmQW3LMUG4EIA7bplb0Njb2sCxh/XjApgMVQXzzAmhwuz4o4k^JiaecwnEheh8CLnv8JWMshGw1zDgidP5HbJ3siVD1QhFGmMvkX/ZM7bo7zMZfpRbE^JMdVIb5jJBGUXl1lCol3qbMnSoHNhOo7doGEFhTuVvXK8lP/bmlssoH8aGc52bjws^JYZXn2kVUhUV7d4TJzPhByjKFHg1mY4WZVwRUG2TbgOiy74z5brEhU5/he3helhy8^JqXMSQKGZlMqbHByHDEjBYpR2PqebUuuDPNpkmZ2nNG4NAVOa0gvDcrocMsCEbW8F^JXp2Bmrxj4idyuqruml/tmhYEm1JSPqnAtJCvldK/Ksu7WSMXDYZSitG+2Q4n0L6V^Ju62Pt8j5vMU0RRCbqq3ETqSUEqasL96nHQys/ppzaraC
+file_chunk, 752, 380763408, gXdxRZzzH8TAPLeCpKo4lkFco7^JVvkx0JG2M4OVAYmaExT9D1KAHw2PxHnIgNUBq1jHnyj9VEq9r4q3ImdsoysEswws^JNzUDy0dboVl7ZetTP6iOLaeghpKUezHDfHFdgQJK0M7l0GTps9dKqumA6vb8zElx^Jf7tgGXKbPgGXirMekktHzJmb0egVOxwdxRihS5KggKG4u8uNGqq/0vcIZuQCBvVZ^JDCUdJG8s0L9aqifuzQ+3y/4v0l+qQ3daY20plf/KWhbp9T3QBCiutmbMSnIQoK/H^JZ7yqa1h2w1aSgSOStv2tWtCcjjgmBI8acLZ/D6/LZAgF9ZdEfSnK9+39yw9vHg9W^J2IpsFzmtD+CyQ1eVrarHiGL0cDd9kKPE45czXjT96cjk40+SgN/08efxvRvOZpV4^JMvW3fHpSFS8UQecdE+NKyPqf9zEMd/8UBwzKD6PQHJ8HpCLIFdy+wsbwU4+yRJBC^JTdEOlDT8j+laAmErlQw8Mgf5KcPx1hBIqecPaZqfpz5r6LmCXYbZQVW8E318CJfF^J7vGlrZLQh/x6/0oOICTUqd/CaPGhXDrrS2MRGbCEG5N/n/qIQUyyBJoXbPp1AAwG^J8OlwvOcAQWh0AJoXwI4bFF3lqIsBvLwVOL20uRIqsAfmxle6nfwSKAT8FDnqyAng^JBsPh4X3wUmOKuqG9cZhc5544WG1Ec8WRKmEB8ru24k3Lw0GsFPYNLpmbrYPofVlh^JXbH69HCe18
+file_chunk, 752, 2293234960, bE5SAPMll^Jaib84k6IRyHiKCbCiaAZVHGn7mK06uxYUbD7bZSfWLRVOrJpAwF7KCprFfMglIo0^JwCSYXGRoYX87FbYLtOCxuc/rFQE3JjNQMmNbTjxQv69xmpCQ6VWs8ePj3n9hDuAC^JBLq/iJ2h6hKeLUfcpblaJ4+2hHO+Bfr1PX6juuATkCex1QMCAr0ykNuXrirTvGm9^JHFjQyOKV1Mk5srxRXf0o9CZDnw0h02cDV1Zm/MzpnmA1uRy4mNBGXmR4tXn6Jype^JCwrONyUP6jDaRQDeqLnniEKnZrPvu+33rAdFK+1TRzr//gnudo2nj6ehzw5GavxS^JOYOjpXTQKo3sXtDuO0XKtGlQMN7cdV95tkXEpyatfdjFs57BBXyih/w50WfNRlJ9^JvDcC21ht9AuYP/7/N1sSAZ8O5icTEqiLox1gm/s7CJR38nN695+0aGRrI2zdnZJD^JffR7ha8uqFsfJbJSIBrqHXsSleF8hjqlVTXyGpd/yo96KsYk1qKsIdgkMVT+cMuf^JjFwxhTW+BH8s+K00eNzpjIUzJY8fUOusUYbWNlvRHZVzs1zKUzJiWNmKSEQkAVnx^Jp+wWj5yQKPJyIwJUR2DcGzkXES8udDbfstiPqRHeAUcm3otjWQzn78jdQ/trYq03^Jh/yu+wuWsMazmSoDY5kEXCYLovRX8zBfPsT0/yx4Jk9eTdo1AY10E7mMFOufZ31O^JNSZ5clGw/3oyPNw0Dthl6RJGRMl
+file_chunk, 752, 2338716944, rKkq7+/L7WcTv1pXM2kK^JARYWqoQyfEpftTMC+UdQgVQxklO0zOYQwIOF3I50JNSycpqO6QWEVCr/yNarcSQC^JALVtH/fJKp76r/825GduosjDFDlYyohREwQqqvYlnXszy6DeIVN3Fpb+ChkwvNmw^J1XVj74VT8QQH2g1fbwQsjL4QOw/xLqgZtq/3SiDLvOsnrpvuN5oQcUdV+1g12I1N^JJCznvVYVUTBnNWV1wNFecvuBxGYRETJE1aRHFimjFAezAVSW+FcwwHhcXY/8mpNN^JJieshkOjYKeUjhla2fDXH7OY1aS0T/bqBUqkdVTjkm0C3E6NlUGUA5t31I4jqEb5^JbNwrKpLJqCjpr/uRs+e9ef1mais77rMwxMxu3zOgI0+Wl7oEt4HXPMbLw7FlXByH^JPm3D3f0Vm/rsfABU7nPH8EOfR0Ad5WY4Ul+K8HGgFL5EpWgagrAxIm8ZMba0G37O^Jyt0CBAy0FJvTMCaIuFlL1VshcatltJqKgVoClur2gn8mnsMEKMsgLNE57G/v75aa^JK2G1EuFFg8F27Ry8WPFJhdnMBno5NIlBlp4a+GNnoyYypvSiyCH6ep0mmHCkInjI^Js25AU8PJzVK5fgJgZITJcS2ID4bQCFy4mVn4MtlPAQOGbZ4f1mNHWKXEj/arz9jx^J2LnF9I9OfP2SIUNuGr6EnZ1JO1ycPFh5Pmd7Cpl1MO9APB2RpwZ7FwAuwfNzRtHv^Jsgutwr6ceMsddeT9
+file_chunk, 752, 4260756752, 4Qr21M3p5vrxpuLqal1FrU4X8z1+r05kDvqcs1RzecdzoBp/FCMU^JykfOgs1BNZU6UypSW2vwOxaQFJSTb90OAdX6hpyTSRT+k1RaGwGdWgn7OdFgdizP^J4Qo6W9abCfi+6BnzHkxxSFTQfd9AFWZ1LlPw5+NjUXfxdi/jGLtDIopnKAE8LshA^J108MLfjjWwlcqs4v1XJHGfjCaauVsrRdes8uhXfiCZgUL0KOKvwHvBy2TKLDb3ZY^JAeJxEBZlgadEjxXjyQZ4BcvU1Gwa2TaIfKsM/2mCTiCIqBo3Mw5tVHkDvEBGKUdS^JvY8E9bpKp26Y2ejYdVk8JSt58wDHzNBeO7ocmzBn3s2fQNbiwX3I+eeJjkogqKTa^JjQSAGi+bUGKWE9dZyDkMZd7NnvLhxO2gEoRlYYjVuDDeDbXvBtLHDa6puLcO1p0Q^JHIkzRmtMTV5SVPhXjQCJyps/bp5v/HzViCLRfXiL0+nDDVesaVbhko71aICGI9Pn^JsvSR7E4qvDdzOppjmWKkau8QcuhLKlzUpyEI1SNAGzrSqL2OuHqdUK5ypuL8RZmm^JXGGDmJ27yMYNjgr3aTJ13eJLH/MQvLAIBys7GKM9BZ0UJW8W4KpbDFRRJieo/62U^JWtkGoNw6dRiCdkuHkWRs40aKc1yhDaoMxY9BHpMtUuxid9Qu9MCiAs33JHLzc+so^JBeFtAtKFW1VSSe31oO9fUfgGucj9BP3QpaqFA0t30TazwxUj3
+file_chunk, 2896, 4303090112, yZg/LJ/GpmwgXe+ESFWIDa^JxR4TdIMTekg4qqCL5PpNJ6DHfkkdsjsQ9zqkWNtrc/GpqBPClN8IwD4qThUGd+tI^JTe38v0hZWuuNnOjY9eJO747wIiPqy15oBYpstGeIdESgUFr9/xg82fGjalkY2ZVQ^JJAlH0xNX+TF5QIn9BUMnxn6OCA0DkQYqybz2eq82jB7ZEnGLdDvB8WeaQIjxBuVx^JDAiCwzjC2jpO+wNYCorVym4VFti4AgGYghyLmyAicit9NqPTMsaD2BbRpb/qHg0P^JdX53dFZe0qlqsrA15n3KCuLiw5YXEFUmUQuAN0dAOqlzOTOPpNmJakHF3TqIXvw6^JV/qERQeuiNPwnBZWrZvpTjO50VatjcUizhJRwTiQjbQ7+mqgHxiEa9abpzqlTN2I^JW/uUssi0jaVeFdL3MHZYHltusyTx0F4iH+KGJ1n7YRefPAI5klNZu3XmTQsQafkF^J1DMVbqcJT+aLdlz2hWMy1R0BfV2XMrO2/XhG2nOScnRzS8Z7EmAgqZmzFfF+nqyP^J9UCd39Si6aUrss3N0oCJ/44F3T55uSHYf2LCgoaaiR5IML5tk9mHVRyTile5iF3P^JNPwMnlSeka31pzsqLRiWIAvKqk5yZJ1v290/Aff0SSIxKggtVMBq3YmJeRb6LrkJ^JjkYC41zT+lvvvMRBJCFOOXBgesIBHq7pOKBKPY/xAcN/e+AQqHLlY/OGMT6+GK9v^JGXN4TvdRLBYHZQqyk2ITYWD5iQqweeZ2UmjB3Is3lDKtnlO6qbWvvYmYPoXDrNI5^JhRX0gaiVC5LyZZ9NheeAgb5ZTqYUcvNCxM7BFV7gJMFXc8gT7A0FG3YbkV9Y4D7v^J3NduhJG8kgS814/l3Il9K3jc12uv8V25orXa4lDXTbTu8WanSYUkg4cLjqfKD5Vh^Jly0ZTpYeNx1NdO8FoSGJhqI0BC/p2NyjzmTh3mrGk6tnfHuqXAMH5tIt/EC10MmP^JE2WTu0XrNk7I9bWBRRNWx+ysP1CJUd5GbYOcQpFHBfG+9ApIf3LjxSLU00/b7Ui2^Jz/92JI8T6X4TdKxA7DY10IJg6KJBsUAUJ9Co6Fxr9+9OIo0bdj1IcD5+w/qB7xzJ^JNC3dgXc86uEDpvICZS2vIeCZTrc9vgxBxpftsdVNn1nDYlalXZeNsAmDiy3QJ/wO^JPS3Li40x0KtDWbxMzgflfzuyMZQBFSNeQ7CXFh9mJMJQkuAtHN+yAEqJJKaYV1bt^JJM2jAeKb64mN31lIzTnkJEGWcvLNS0uiZKJQrm0lqsentMitzc/+U0gSxzsfbqmW^J187RzZAsNlfWnLN7miAPsdxas2JGGrmHzjaUkL7U+YJdAToYlxjMTnZgztt9LJxA^JSprIv68hyNVF+4+fpL7QER9EOmgQOIxjlxCx75SDd5g3CWJkVbXl8uU6G+j02j+Y^JcOXNTTwX2ptbc/79Kw9iDMV9YkAZtP8BD0Any1Fqh/IMx4QcMXEx46yDV2ji7umH^J1SO686Lv9zGXYb+ApuY6PVuICTJrWLIZBE48otTKBXTJ27wGiEf28Z7bh74P06Qv^JXMTUryBMDg9JrcCGTvelIZO+DbMMMN72Mh/lXBAOLIkfh9WvgqyMIH1kfg0H3AwN^JB9b689RpbK0N+xhfV/aIqGp3a1KbXqPA/h85vUI1aLXPreBN9gyTKe5K0HXw3Edo^JqMcB6m//PN72r6epmEMgdthZs5GtNcQBx2GbOonY1sot6ZA41GR4hfl+EJPc81uY^J55uCcANhvaaIl+V7GCjV414dNq89TzNFHF1sG3ifM5ePRhFHVnsE8HgoE3hsMhqH^J87vMDghqNZi7+tGPNjZvZGVtB+RL8ltGhUSuoE9OjU9S96T14TZT8ksIo2jb6+Tq^J6Vo3Y3vKc6krHH93OKiXN0hwqPupBD6xo/23Ivnk1qu4xAZ2fnR1Ob0BKcPCrNdi^JREI++RJzxugNvbGOf2LIdoI/2yChB5i4tg3qYRRRagUpNohIxW5eJy5ugiCwOH6d^JuPmvLXUzs3J0HWdCVpmgURIP4omxgUkLYeJNp4CmeTAUr6uVrqzRCDYPOYrCT4tB^JYL6uyxhmOfwL5/YuVtsCcKjX8nGvOIHdtiMolPpeH8qdv0zp9kY+h8eTE/WGh5HF^JA4VLUCH5d8qok38Q2Xvtiji0QrKr4j+P5Vhp8YbKLwFEqs3+NvA1iEx/RQhTvPO+^JHCdnaCc0vIaAp3jR88OrMDhHyKePPMk6shiWiFM4atdQesswq11pHaUrUoATZGm+^JG4IsH5+DZVk+ztcDnA2+f1+FKDFHloA7VWMiuccer4ZHFqaB1WGpTOMTBF0xhBYo^JmhRBLM+O3SJ3+I3FwbmE4mPnh8PMalte/qm9IFtDIhVdoo5+lS4tarJTPwazW+cs^JAIxETVWHanH/QOtyEdrnufA+kcj9DLRA0IUQLySOYCGQ3ZZsHyyEDV/9IWOjpARW^JDObwlGFQk2mWcH4/CdOl0ZQajrk2hWbwDuFx+RVy84JapHNIAFgH48u+bn+hgf3V^JVX1bUYtRpwrBEEBwD9rQJ6iMmeqg2B/Ih9RxPBq3wyvbhzk/VVCaUq3c+XLz+6B/^JwaUQeYEQ32U8XkaKbWsXxrcKZvZ70oYLGU1+mHLV/Lc/vwch4nAJmtRYRrZ8hXgx^J7CRciM9baxlkZ8zAaRXcGW2Gbl8m//oHERz8/8j7YpbkY3Y0qfeIqNoQyHieLPc+^JWwUfKskpxIgL7MhKlDs1fmJe6X6o3KW11JZqldPwKL6WGK5P4OS2fULClB9MD605^JNpjTRR0NBoNpKKr6UApGAqwfZmc+7oGZHVBw41tiCKuAavQydcOtOg7Xj84i26J1^JBppraxJIvxoJ3
+file_chunk, 752, 4675468560, +DcPcn4qO^JffnlMfb0kLM2x5RyTcNksyV29GDPpFDXWpehoJ56Wt8CMltAlRzSEEPAjWTISMvB^JgYHW2wKs9VHgQ4x2pxmnLTGmMKS49QFadEaILpCb7Vbi+EnWeDwitcBjWI2GrSMq^JYvex9t0vSEt1BrebNcumhwZ4fEjJ8+aci+ZW/r6ZVd7NMrSKMYpMTp1YxTqbp4xJ^JoogVMhE9enlaPiI39lS6mcjK9PZoY2nxTAjxD+vmsFrToCFtxp0aMcJzLsbjhQ7E^JTJX+jYH9mwJiX+mjghmb1npCkjCCZkl04m2cQwYN6xtyXRniEQwpKNK5KCcbfIPb^JYXDXWKvy61KJQli/DtUjh9rhBLVGrn70CCuoCHxnYSlmq6Np3BBDt1PIGYxnhCak^J31ueqgP7CVDs+2/Hh7t4syiABQmA+Xvw3E+Zd9zPp+TjZoux7nPxFUx/rm3YFj5T^JvjlF+AruGVrzTVRmpKSY01wo1Nxv+pSpHg0GukvDnRqFHGSamlyxDrgx3orpqj3e^JD4Pg4voGdHLoVkTF+HXNjUZq8UGKz95B4Tvrpy5Ll9NwX3DD0wDG1RDJLw618W6U^JLThJEdnZcI6460SCpiqKhVXZo9vL0f2dYc+nswEjtgkFnUPQMvp2fK9XVEozQNiQ^JKAjg0dXTDJ2K4mSxc6UlXqLpYgomE9vX0dEq1i6b9IktZi9WckHR4nfV9F4Zd9bI^JgQbfa6KTmdmTrHM4+jtC5dZBDtV
+file_chunk, 752, 4675730704, QvDDMBnvKD^Jf6O7XhaaVuulyRhTZPY7oJjJJXSEq/UK6XMmMRzTuPVwjK5hL8H8MvA9T5NPDNDN^J6awIHAtx9vRxa+fNXhfoE8roipZABMXCD510gRsS/yxmYat/2XSUVuwVcVfmLcUB^JGEIYmzbGTxPB9TfPccJVsKAD35jzeyTGsQjaW4B9I1cykWedRhvEd8AeL0O+vBCJ^JxUIWFEHet3dbQvasUZ30o0hMbgOiserhgO4tQ56U66e+Vl/VZUX+DpmxtTYTiVn5^JpVZfYQaoTUpzjAi9t8Iy3YJRwlQRgZHcnzmcDYNuvo4InrEHS1xZC6WcbenTIpSW^JkCGI7fhCLMabTW0FQ5AaSTFKXP7O9+nxdqdup0XJT8Twtuz8l6Mn4PkgqOn0A+bc^JQbtonpY5uIQwVCiAcYjpKAhGV+D1B3TDI5q2+Aj6WPQ9Bfi/pqfv3fBK5ihgY9LS^JW8jZEJCJduoEdsDyatqtSK3UOtftqPWVptW5JfuajYR3CPl84Xk4K1/cQxx5nAKi^JRGpvr0SVoJsS9HRSsoMlJB42Md0SVY0nwp3MO1gcOvKCA5SBI/KXIu0HQ3YpxT39^JV/sR/QjJZvj3u0hFehggRQVo25pQhq4RdCt2edeBwYoxmcJDhnOZD+nEYax8GRUu^JfrkPGVECNPqfzEePAZSv/8nW7ZHXz2+Cted/eRd0Y6qKO4KysL+kjDy2SX8ayrmA^JGlc8VABynj/sshoQi5/nz8nq7S
+file_chunk, 1182, 5416665488, w7c/SP4xbc2p6HIRdJLpymJYcB8aLuc^JltM7qmD7UWqSwePzdNZkOYSY0/p2PiZikeQ4wn1fZW+24gY3Dr+oghOLSyl9RIc1^JgO1jwi/vDVySgarwx2QcGsqac32ow212k0FzWuHSsI5SY3e9Cxb279S79PH23+NC^Jrs3mJw0arb7RYD4ZYIrtnnrSHncN944NEmooPcHD/y10bpQFlvIDO5dPX5SC7ryP^JAHOAkFGnlbNJasU9jjuGbl5KfwAG+lm/WyBS3Qzs/jZKEm8xcba1t+4Tmy4HPfIH^JQycTiGZvabxgg34ZrUkRS/VRyNs5DYEl08BsJFJ4ErXqMxqIgqndmqmFCMWRbqm3^JW1SyJLU1BpESS7O/WtdE0h52qeMibJCuMmSLZ6Ji3ObkDuWnJyQOD6DiywAOd4MK^JRAKw6c/G6daqMCLAR8iYNbKv5vizBN0xq38jnjN78n2L+Q0cHigtBVYOb6g/tOod^JsLW0MZnv2UQ+GkD7mz0FgctEtk7LnEGwwFrOOHFTZWJ69Z670dS9KVIVNLVom+wU^JM2bjpD82xE3kLHtZ/VZ/p5UzZkhFZTMqHisrXqcE2hs3StrJj50t49UK+JeBmNSV^JH9rY7uihuKU1BQrSxgXtgW6HZ2st2VMNWsAFyXDtWAO6PrmSF6L+D811cXHCGZx2^JqmEH4/fh3Qyz4wWp+2qJgdfqlvIR9glBAvF/612vO7ig4LN3+g7LLaXy/gtujFki^J9Dnfq/yKN4IzQspkrRJEd/Zitw4HMnO40iTvk/qmfq0lvfCaJkLNlVqD19XJCPrt^J4gvtRiwNs9QfQht7lhUp/Wnt++6jJ7xrHqmqOMvd7oBX9H7VtZwAN/5tOhznLs9a^JqcBtokxx9c2lWCtgLnOHdNssIC5WcBfQqCnfCPrnq2A1QVGFoIkFin+RmvgdpC0x^JTJHK1ceRTrnNb6VBcmXnraSn5QZTIZ5F+SQ2rgqTNfofokJtEKAt8fUVrHZ81emS^Jf3sbH8UPfa9Xj0jmZmcjRRggrJ1yu0RsxUlxg5siQ2Fy5i3vAb0ZZ5ItWdIt8Jwt^JJFX0FWYGmphyo0Nwj/XP27NaqTwSOmo6xAfoyU7z/28U3k/qEbtLpn5xzVHk6Dny^JP0XGw4JttE7CmvwEi057FGGBu4pUYERfRNu7o+THlsQ=^J
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
index 57fa59a1ef..d387f9682b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.exception_handling/weird.log
@@ -3,9 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2013-08-26-19-36-36
+#open	2014-04-07-19-37-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1153491909.414066	-	-	-	-	-	truncated_IP	-	F	bro
 1153491912.529443	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	binpac exception: out_of_bound: WriteSingleRegisterRequest: 4 > 0	-	F	bro
-#close	2013-08-26-19-36-36
+1153491920.661039	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_ack_underflow_or_misorder	-	F	bro
+1153491929.715910	CXWv6p3arKYeMETxOg	192.168.66.235	2582	166.161.16.230	502	TCP_seq_underflow_or_misorder	-	F	bro
+#close	2014-04-07-19-37-09
diff --git a/testing/btest/Traces/ftp/bigtransfer.pcap b/testing/btest/Traces/ftp/bigtransfer.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f08f051c5357593dff181c5ff48a3531301d6536
GIT binary patch
literal 32127
zcmbrm3-J8feHZq>*ESeY7snlnhXnFVNE#gVMvs+NT9X*-Ev<I7+Fh-*Qoux7z2DE(
zgAC&`Ez?e!hO`X>#LNT+N@>C)1RBzzlu6=}rlqAMg(gg#PBRH)2FSp;6q|6}v;V*E
zweSD>-j?akU;o|xY4>x^`JC_hp6~1IPyg6o`V+4{d+)P19$)yvvuCe>H`0|j|DIp-
z8=h(4_2YW~vu{#={zK5SZ+iY(c=qh$>+kvavycCp59NR3zocIQSMba2v)}knKk<Fv
z2R`uZFTVPPFZ_`|{p{JR?|t82e&s#ydCx1aydU})`_KOO$G!Ky`U3qw1n67v{&Bs5
z`)K3+&j9+jf(8J(^1cW1qlIU`@t50A{p8>OSD=MI@qHg^p8g2<&;$Lwuf89875>I=
zeV~Jue(j^*)UW*w&sc!^xZc)p;@`bKkiX`yywvYM0nlIn<Oe@){og+e82Dm;AIJ~H
z_k7)Ncy<7^Jg%4e`oUM2*MIbRUtfEvudhG)`pFMJ`-QLm>KBLrjeYbJ$I;i`d^}k}
zeyfV$sjr^&p$%RW4c&kG_PR~(T~Pn-r*AiQ=imMG=Eq<A0QC5}T@6oe8$1nN&_0zz
z;ejXYsS2M+^vTWhY7G2udGX0zb#wElJ^?Kx-BVeOPZ;)5a{Vn&=b*iVZ`D=XfAk5*
zzW8xPzptNeRapkNKB>y?c`I(-RZrs=`&pGweGH&L%i#MjzV`I!&zR)-lNUVsN%uv7
zz<+YX{?Rq^sYuG954uMmlhOs?_oSb}w;%MnfZlhQun#^X{=xtCpx6DiZ=bNA`}JVL
z$bbHSzByq(|Dbpa5dW9eE6;Xd`XARzBJjayAA22nAZ~x`D<XdQ<K$mL-$4BQ=N^cc
zvv7I}`}zaW1N+wyue{mYmxbXO@%oQF$KJeE7=G^817Z07Pk!*(FMQ)Kzab2-r5|HI
z|G5X^Pg<`$`wr04$MrVE)9XL}9Pu}QMMNN8zwU3piP%06@fG^SlvOzw)zH0=ki3c_
zFd0etVg!G~`O*m9#t!kPKJsYqPyN(O?0o;He)8u&0{F&$DSd;TfBBwQ;n&*72!0MA
z%Aog;>urc1{i}cff%u2M`YR%S_~RH3RK<%W_X6>3pN$ti{gdDR%Cif=d|Yp1Mtc3z
z&zbp#mzeno;Q9w23-7N3CGo%oz3e~6{>%5^Kn^dOa(y!9I{4_*j(*X|&;G7=qvN|j
z_GsjX|N2Xv|3N^<w*oqlUpl^}^ZkR4e+&@cnU3G|p$8)Ni(e7(!yiYE-}hETQDDAE
z$L)8&@(cz#=yAPF$1A_(_5c2XtL$H*<68k8Km4G>oZh5kctHpDnlSZ2**#zB-B3T2
zLEwM%1JIM8pFo>W3cnM;)1Ei>;OVS5&)<pr$GwwqHlEJLNnjrL_B-&d2fTjs@92`{
z#sB^{|Bj;alW_j#-|?XRTfiG|<N3=W0XLt&iXN|qGHC{I?*$MKo|uavKLOnbUh3@G
zc|4sCk7h512<GhxG|oK!$ehi`JN^07`Nb2srvvSWVNXK&(1VXD*?!{PCi(N<@t{uo
z)Js$H!=L)e&wL}8<PZJg?|aLX3=hO_`8}^ZlYm@4uD8kjhX3Cli0}PvUlH-cAODc_
zZ@h{4ULc=?Zh=uhU~>TL1IWkq@*F=iU;mpA*zLdd);a#nH-b6-YmYhp-q+qT$M3~S
z>gnr|uYc(Nxf<H1+t9W_*+1oATX-n=7j6C@pv`wyz}tWFX!G@d^QEEuH9(F8$oar8
ze*0U8qJdHTN8kVIyR3lkh8~DN{ExmO;)g%}0p!nq5s`!b#e<v|)BC{vQ$O(Pvm7w<
zxZcLjCtm-F=j=c)u_FO?e)PeP_BC&?^KI$J05*<qo}RA&A81G2?YiV1JUyiJ>7YLS
z_V4`8?_94oH2s|)`2h52JNa|3z6(o#;Pz<yNB`(cWBO6RQUh3e|EGbRJXdnh$MkLK
z1MwIC{HyO`VSUqcJ@IwF@+M;UxzGNY-}h606b${jh4sh(<CiQffc&`ku&^HJzxgk`
z`mbSOeeScr-2Hd&{qf%nTKHoR3u^&N`AZhow`C8$9v0RE`LF)PcVyz(Gh%q(gNdL1
z(uVz_-+v6Ce>Gsj`q|B!On~k6+p-7Z&jQ4E)|h|fw>=R5;>%mo3vNIB@%MlDyWfJC
z?v%#{^1%J{55D?tTkHSuTwZ?TOY+hHdHIQly!;mUO?k<|_&<jM^NP9Mf*NSaC*SSe
zFEf>1wD%AH(mOH(OqpN#<B#_2-}B~-zOb2p0?5dB0cPI&>2G+;IP%8`e)xx8eWn9_
z|F~X~`1ilUey)BXYJcF35qxnLzxpwYj}g53D{mcv-;PuJ+T-67c&wh#$J2|)m%V)P
z2Lj!!pZ0G1gj3IrM)C>h(*K_TZ$rTUb-F;Tp6bE-0Q6crKL7XHYmc5{PZ)~6(fcoZ
zNfOxl@u1Kz9|iu@x?or6r~bu^eaByZ#~FM7GvbFo_~7@uKl|p4y(!C|ei%dK&!}(C
z*yn*PKcBH5`ZC0qXY3jAx#od*_|M)tW1s%W^BMc9XTR{_KmL{(`}{)&;=l54ef*}M
zejt7w_7(d0&CmM?T&yo@o;Um0yes1G`mY{{|H%1@h+hRpt-KxaTmS1X_3<l=x_v(C
z|MaC%e=`{M_dd+x4}b5Qqb|Todp_!a3=rQ%*Z<@Lar^!^5MOwRpZTsg*6t^N@GXd+
z!}0ZNhx)lw^U<f*+^5&_r-z5Mej=U<x4*@}H|eY1&0k2x*Z<Wojpl8eJMo2|dbF*4
z<V}9Qw2pt|lOOz@U-<EV^%j1LGnm7F@q6F*rZ#>X;<vt!eIRl_^c4|5{PAa>`CD%w
ze(g5_IV%iX7oL<4Ko8`9_?_>2Hy!ssKIiFWi{VEAPk;NNA%3-egQw&7e~kOuZ^FS+
zdXD}@caeV0OZq1dIBo6xqP=hVeeZjheXx2S7x<azrIGw?pyU1?;O199RekwLj^F<n
z0Rs?$8U6fv8#i1<JVx*{Kk^k30XP3P_7Wm6Q@?DHKN|QM(7*{a@VH(Q&JRB0U;m$;
zQ}hHH__AQbXZ{|b=;t34ec}-mdG1Giks@sM^d;r;f|RfM<hzmbBhS^ycfD-z{5&A#
z9{^Hb|J44?A^i4N;TNR51`ywQOZ?DpdGvYxvoDeI0uhk%&;Q_C5nq^44=(;Lz<rlx
z^|zjL@lxRBGyec^@rw^Ge%t5Y<l+Z_xcv72R}*SQfnD=qLOt64xqt87So+!L+kE*m
zFOBIJKlPJ8|5bpc&wuLaEo1tD2jczrzwcd4sNvaTG(Y|9O~n4Yf9nr@+b{hX5QFC?
z)K3AU>@7hmFrvr3hY9sS{~mx2wCDfFAk}yO)?e;_`S_>52ek0x4-@JSUBBFfIzH#?
zVM0BSe+VGIgUJm{sNd8*`i=dum-_wV0R0a?OsHS^$8Trif%wjg=xhJV1Mwq|xWt!-
z>t1jR<mGGr?wg1o0TTEFC&4(qw21zbfB${Yem@}NalLI3^{@ZWj|P-~0vh<TMfCGu
z1qA1_55f8DFT5!@e+~%FM}Snk_RhA{!_p#gdP8BWZy}#DZ+^s%K#0t*#xk#5|AjcU
z|G_(w2&^rhe)Q<QpMGh`p9SJ{1mg5BzW0B9%aH%vV_N?FcfIe~-=Uv9zg`;S`{^J5
z>_;DnU-Qv7#`whv|HF?7f9zuJPrNzCzwlTb1{c!KaVM{-fIVg%eNIJpD4K!ksc;iS
zYe~D$yXfwFr<^#RW1XxBD)ZT)KGDkLaSP;N-3cgUhd*0a%m`%aVx|)t!NHNX>*C^-
zX%pz`{=#}5IyCE^mu$%$wuw`oWm5|l$aIPVt~uTG6=}8toVrGXx9Mno=GoNbS8l;i
z_e%6=*QeKk!Qa|t&>a*>M4jMD-iBmx$J_<)9<k=28pS=BFKLl<oAMOhQ#YvOm^CTn
z+H>nr-?+2H$<0==JF1psp+MsVN;aeyg|o;BEFQD>QIfRdxi^xi7U)fIIrUvJl`5>P
z<SB#wnLVb*b!<$>d@LGg=qm_u_QIW3xv+IEy%7`LDqrImuTkSExp-0Di&sXeTx-0M
zHp89PBuV4DjVoN~_0`m_Jwz+vZii-hp+)ZLKx{lr4ya(-Ul{blUF;1n`eNA3Js$5X
zecK3OL6j#Mosj9+krN_84XMIgecNaAbZ-=j8TaRttHBu+EEpa-+_==ba-n<o48t>8
z)o@l^JKZ(T+gcB3;SP1!bsqXGl*xl$v^{~X8X66Vi;<huYLPnnx@Qltxr4VJj4Btc
zERxw;8fCDnOxc{y5a;ha3;ZWZ-Ws&KZf&Ac`10a0I%RXb-{Rfs=xp5GUUSd&FsnAU
zv9v|=M*61E*a1=o!(MYMZMp81KDFAUVU}W_<IHvGTitPRNsQ;qjLBn2@I%N7X29?7
zvFXEB9xi4H<tKlp4;^_$FFQRJ`65VREQziN!*5*N4)OK9aWk5^+;`sgmTWE2sWGZ^
z?Ca32m#TwK7?oVyX1&^nIqGNYvCMjNr%3%;kXhS9s_mL|q}_fH&wO)-wYwP)v*sg;
zaw7VRdVm_ulo42z<tFuN=Xe+8v(X$RW{tNV#soL^ROX4TrYEC|sDVIa1->KcsFyXp
zsmp!~WlL`=*^M$y36<h|RH|ZHn6PL1zO=g3>?$1;bH5#L;z2Br+9INHK~=mT3iegF
z#64so23IT9v;lK<%u3Fvh{U-$hr?CM1p9QuFb>vnOV5b4haZF!lGARq)ul~yUfbb{
zgy1~gF{Y?R7KSHH(r|VW9{1}7%i;A&sSrNr&&<w??bI+goP^@mI3E*<u<DGF%L#@O
z_dJfRYI9kB7pqI3bfy%V*rqiqOqL`G7sZOKIGbSg!c&e`;v3g(&tTh3?#hHbL3%FH
zK^|>0W4l$e#UGiNG{Ka@1vcZ03~TdI7MFCh3?++3<WVRFd*5TUalg(Kk62I^Z9Pl6
z^PFn0){bh%mSHqqbi}9NCc}4?bvcnxs*pj`s`8zMy>BFWeL0-7*x2t#3L@E)x2yDa
zr8J(wOq4F>$>hPIGPL+5xK!}Tb^?CzD@rczJGSg3aYWTk%bHq*@iYgGw*!&a<Kzf>
zw+kATi)*<)4pE(j=aSp7IC7ZBDyVUhQSif#SazH8V0rMd6zDAR0;q6Ijw#kP-jpp?
zhCqGlxNWJP5zN(?to{7FIfqAoxskAoF<pefXWFq2I==<F^}LQDtqo0FK2`E)7j<)=
zv=u@#)IAg7R*xoZ4kTGc3*IaV5zhilfLk)a#Es%C`wc2&CrG?vv2fFF&7xnCHfW`k
zUt1c>`xSF9x<00h_SPvOnl#9K*SwtFoCq_*U~iJ`!_^KUfkN-u9Vnc_;*MmLV4Jh8
zqS*CB;M;P5Z{?*QxOS!EZIE9%(n#56S(!L@Se^S#e?=g=^Hs;<Z%8IHM{+P7phC;a
ztk+@~47jtbSX2|!ZMuo)ZNF2t@G-*Kc0lc*&K2djKqGBkoz*0dRH@;$vOn#!Af#)i
zs!FMAFZ1~l$LCboJDkm5?^bP`+rwDEyHhuBH@9Vmi0r~nQI&B1BqgX;=c%yV+Z3mS
zoGls`7ZC4IsjE#G(i`c_-mif?t~Il5c_$Xc_5y_^v(v_ull+NmGrhpO5nbK<PCuCk
zbUxPgY<mX1kF8<Jn-ykCbq5Q{7}gg!mAes#C~i=QhC|BrJS1e&>V^qR+v2=I(Kc*2
z-t}PJT3@#`-b##y<#&^U^97k!xpWh`VS+A$&&Nkbn-+OAj#4phgA*ZUur3+Q{a9IH
zq`^2AM|z}Kggr#qp!PdbIjDGhGWSLZ<!L${X)zZ<XXo#nC^;PDvQDbgLX^nayPfwV
zMkZhZ?F(60jfcXdgc8H<tf&{4o9#ick6+x%FDGGLcY1LS-H{cQwV@fCP<5SK%xG?&
zY!1Gd1TnP<5UQvqYQwk7mFS0~0cpDqD^oP}V8Q^iqcz!<yxsY17X1ztJ=R}wUe3!}
z?`O*GY^E!t&g=ynN87HVo@ya;J(|Voh;ICtFHYw@ota4~#pd7}HG7iRu(-i-x17XH
zFxj>m+6lEs4tzQscPCDzPSAMPB8uf%^V%cF71qu}#w<61y!2d#?#}rwL2(xA-3DiC
zi~~DQeO}xq=;ATrj(2+tnLAb&{TauC#-)|x2*h%{;D(S$(N?*yvh^ONhBLqCwjzxv
zdPu27ahMUm>aDAF<^pIVHg+QIZHrV-t>Khe8K3d39dksY$W1QUqV1EnbFuRKX<cA8
z5f_a>z+3CYtGI%65SQ^@c(`Ba%P5>z8PUs!li%<q;*o^l3tlOq>o~lD6-0_cMBUmA
zdQAP8UeUR)+(rpf&}?%FM%PSJeTVrHNt2eiKe{W=;o?Qpa56hd`=gE%taNASaZvd#
zSX`<tF~4Z-5#mngj=?Wfq|KW(uO7wYbuGD@!Pp!)3%+Fc2JeD2-jTN`X`J=s)aJ_K
z#9S0oS#bCZgluna(2+OK%dDLoZ1n4x?*fi#t!(VtG2SD~8NXZFW-9OcGTV&HH|PAI
zYr)Lg7TQCjaC3=Z*r*ZZ@3hvT&+A?gI3J{x;Eljs)&^az(GEw;%ThGbW<6W6pJPSY
z!HR6r8Z>S<12)*XpjM0w>{Z)d?@P<5m`Ns81v|JxxFtZ(@C|a5GNr55(djf>xrldh
zbAl~sqKHzFz?M)A1XIzLWTqzSx>(~R+DNKrmOQfLWl;0Nup}h%GmO#wt{D6|g3TLd
zK+JXL@5huH?q$>}&LmDvQeR7pr9_=0<|Rn<fo={}(DlX8WO2r$;D$vW#W>rnNfDZg
zP1uZJ$L~_s;7HqG@!cUb4y0rI+eEjIg<u>G0pV_zez%s#BW@$hbfYAmV7&2ILwkhr
zuD#-NcBEy2w7F+ncUP{xnIHXPdvPRL*38tox%6nRVLSIKsb%bT>s{f}pBoucn}Me)
zOwYE)0VZUW$oax<h7bu)LE#-q%$8>J=xU9(6S2aZL(@m{8@$~roM9SB1q}qenGN+2
zZzWvvFuq_VI6WwXlS%h=vEdrW4ppP)@0(@JE`cWRr5kfym$0GVfaRk=9eY+4-!7N@
ze&Y7ZhTSq&r3EQDAD1QM^!(~$<ROC3V22F%G)xc)f4U<miM2a3z9|ql9qUutAeyge
zwg_9}$X6O+=Cyv^IoXK8ja{8(zw7x#zEeYdigfrUc+OR(3%(98C`$>-y~x}yk#u^%
zF45^K$uzJ>#G0ISLA<QaY@jPae0H3<)L42ziQ-gWZ&;?}gU3Kk8B1#2-F(F<50uJM
z^^w6F5$-UBAl)K}bp`0F#dD=>zYTDqYw9?PSEp>fAqSl=pyQs}rfnFr28ahw)x;6B
z<$KBoo|f2f@587QY<$reKH`IXbDug`&I~aA(*~t9SHqym+WHmlbth5t!~U#>_?7G9
zs@<3}*aYSadR6c_FwfJliG2o3Rbo$YR9KwaV>=Gj0XnZkBagg&0BjoEk=yM7Nq7U^
zbW#|BX_ok_y*RDsieAE=Qc~WH!4;S(%&bThHD7GV5t=NBF_ytp`8+l8wa8k#h26pv
z+NC|pN()*T(n2?Hqy>m`1Sa15JAO-F5DxQqP}-ydgP3!=ZD|INgdM}O31fI<TM_ib
ztMV^$bZ`r_vunALh_UFVa!)7bFnMEsCLwOKAp6w3v(+xASBUMT5|)OiUFKfb<6>Qh
zb1-`fpHW7V^CRO2BI8}cNN8koDz6$3>2i5?8G1fUo=au*aN@0P;7J}X=~JSw2h_^w
z<m#`|^1Sth73{4y=j#&fY21qYwI)Mi#tKI(q+@<SYbKti%L<=$uH99qiK}x&MQZG}
zL$Rq}crPWjTNp>A;o0_OK8^TAgU<31cmf(yEvj-vaRc^ZhH?lND5h~Gg1kGO0=b19
zlFLgWvB`#r;P|u#`b9MIWVJx3cVv@vbzsrC3xWf8n|J-jse^htj?rPwYWLu#4O-8R
zLW4})L<#5Ry3!~g*mJ3+3Xngip14;)h#*w<d3d45``}K%xy(GXV{baI1IW}}HOqk}
zB`1o}OJ2eSx3B!Lac&57tMl0enu}F{mu)7JB02}HW)2pIZ^D^K(c#o-wyMUb`#L;3
zi>Y~L6y&KYjt0kE2Z-kS+f>%t!2q71<am*CuGW=2aWgRaRqTinf$IeI-m+{1$203h
ziMd9whutkDQ5A6@cB*fOVA4GF*alh9A1vJp<uJE5_QaypoL$#`dXP8HAy*8~L2o#_
zpTg~Qa9zzy{1UoiX6B*^x;|%kB98dJnB;9iE~B>ImBe`ybM5Hr91ooK16OHi-C`*)
zk^`1ykX^=0Pzkp+ej&K=%=FuNy+L6)cVI0+3i6oU;_}={gMAHHfeHh+f_>K5lJP9o
zdo@kx!+8aT@ZHH~Z8|K`5V7Tv4A5>+iS<lMaqYE*rg%D?Z%dS5*PIw2dEzsyc_vXw
zC3nCOg?hhd<`!P>cvR=M7rfpE%^2uS?i~w;ygJjt!tPsBJ8lU<*oL=lO3N-D&n0s>
zx`}~+t*y^_92c%bFNR_yvQZ{(ofQd}2f`T6iaUb%&y*=_S?{kjHP$szn#szwe4^X8
zXa&u{RFZH0%7&Ar39mA;W}EyHTs7&K?(&rKl08>-%PJAsQw&TY6>~{o<~TQVhH2OU
z=6++4cz>W^?|3MqiA~0)F7GOH(7H(!Wh**S$S$=#TkWI10igwt;efZh93xmUMSTTf
zCgnQbCUkVvX765nC$<ytZYL3#1z9;n2}~A6f$7S;lvk_ltb^d$Lg|=<?<ftqhmH-a
z*i(CkU8}sz0?ixUwc#(LxkFku^<ovlPLpQ9#Ue}85vgN-HRC=#cXD1ZR+vLP5MPIe
z^}H^?zLO%My7tz<c06pFtz8-CpqquxLG>{8sA1pQ>DfEYr)WJJgSk2eFqAHEw9(S_
z>L%{<tC`<j)``Y}juH_$7k*~!30g64G@AwcZLUXXST<m56QUBJv7H3nY0(!hmSNqO
ziWj-$coN%lsf)Cvu(vU4ClC~q8Y`H>W4;`_<L2sZbB0q!b-!C;yoZiPi!R+JqGu-C
zoR51qwt9Oj5sL0J3R=h;pFP`4k21#8v%w0i^tcVi{-!ksTPg|(#h2T;nxlx=N*tR4
zJ95ec3USMp;8=gy%Qq(3ZMGtJvpnP$(ZdKl6}pCbzgys7m9!9PIlAo9!}T=O66z@S
zDmz{SFImQB?Ot{%e->vriUdo}Gf7sMi(TK<YXQc}Sc#hGP{5v*3!B`k?U_GhAv#r9
zedpj=Ez{h-#@otU+0&4yl`XHMfmx8l8Mv)2V#6aH+IR~U_qv?8(cO7zVM|C7d+xPQ
zlG}Q^+Q1Jw9M!Nr&EuUv;`BwWb}5xRXzPTmuBVN3ze7kPo|8tsNBrQf*1VpGGYD`H
zJWdgmNexbQ?X4|{oScQNbKo#d@aA~w7bWXt^JdTvq?*9w)o0UPZ{~ZU)`|qSEn$Oq
z!aZu$+6&~>v=xF()-%55`YKILX^WW!h-|c4(worUid{tRF6FxNRFm4<N_19aoIQpe
zin*=p$|sU2)g7i6qkK0?TdgS8UMcD%cD&gj5OO?PbK<Ret+Cz6r{Q#=`$$?9G;+G4
z&S7QJ<1VUo?HXO%fmM9BNs3XohxNYe`r!tpn_g$F<Vs)7xNZB&h$znlVb?Z4_@<4a
zZm}bp@Ft3BpL@3eC-2wO*uwk)7fK{=P7r@7qs88hdxPUVG8B%wuEfX+sa;zDz9<&h
zM}f2|<v<;FAoIA$*Ty<wMra8tQ{d4AIrluoq<+lHVTO+h-BE^wBZCB@>P>!L@#PNq
zl1tg!2bkItShF2h!%9u=FcTl}Rp3C;B|eeDMk#^*(2p?Kx@Q*6k&;o)#L^$GcP6^>
z2N$)=Y-{JTux)4LlAk0lN#~YtVJHW6w|Cm^!x(J3`m`Fti)~J^1rNP+QE-AW)%p?=
zVwztmF6W2*ESbJQ1BXU)K!6B^>XZTQ-Z_c(eo5K%G#9WYQCH<AyS{NlWsA5F<j6Rz
z!i@rXT%-4e^E5?hW;!2cW(&E-K2bK-rriOpLls$dcH$!R7ypREoCz1GLI`f1o$-vl
zNQa9*n+1vGMJMj0j_FGeI^}B29?CPj>C4?r4Y+r0(qVmrS!+Y_I~FUL`pRL%22okB
zGwW&MXcn>5g5Q_o7-f(&oOH_Dvy)@EMaf>oN^}=dyoAX19!m)AoXV9~ZkAiknuWS1
zYh>*XE?FspNayl#3#IFg&mBP2O5pDGFzgC_xuU9KL}hmkZfL6Ry=(ySnlp<vsI?r3
zwmNe9YUNYM*z&v$v{_A>PoJr~)xoKt9T6WsyB^^woxnItx}0LxUpu%B;{lrQ2plKR
zsgWN|v^7*B_7up(*C%~dRW5_yKxBIF5GA#Pv%Lx&^zn3;CljrB9HZ@}GaV<R+~xAv
ziV5|;94_l?2#H5tN6CjFlC6{pWLRLgQZ9ERW-e$v+f#|V!p-TAjoEJrQncq{gV2Q^
zu%4C|3JgPziiI3?pYuz6*nnbi;4WJ?CQt<9I+h@kjCOOqW`KXB4~8zH)WNSCdlQjW
zl?KRNVj%9oiK_z_#plo@<RX&YJ@0{j6R5YJFReIU;nnJ>Mr)bwopvLyM7dJWZMo*@
zd!o)EG-3&Z%XH|`@>#=UIn6J?J`nD%ZIl<wDz3&d-n5R{N@MLOIqPsNoP|a$4`7NY
z;|zI=w~wj7Iqle1ml2lMrTeOb?;wV)j%v&5Cynl0et#148W<6NXy@~-Hg}n48;Oqc
zknj4gjewxVmGJFW(qj3H4$gQRFX_2(4`nh&g`m$Mo?kH9hW9o5g!mg^kpw4OxK=GR
zZ*4(O&i(4JGgilvgm)X*S4+j+b|}}RO0Pzh2EwZX!%e<4B)EY|uyHWYL#^lXc!lh(
zo9wI224vDmE7XI~zUn*Xu%6lLfaU6ach<dm_UWK@Y&;=t7;)QJs5hH%tM~NQg~EBG
z=GfIr@RE0VF&<19UyqWC#BR6uqbw)(wRpnLu5&OHxdd)Col<<$_|9q;R?`A4_ZZgf
zD&{VPy0&<#%(CO`dn@1H%Rb07`P;jK+NTjY7TxJcYAbfPH)GuvV|g%Tw}j+i4ogK{
zKn!zm`D8d}6Lq7imI~*czF7@?+F>KbSNjq}D$6oy2F{RCyN$5H&0gk18^`gk2pO|8
zoccH7GMsvnV)0vn$kt%G`_<wAwY|wuESc%kYDzMgr&XWu!uqf}g%gAftA^cBt1Gcq
zt{Xc$C1@F*_8=r`-?=p|x)-L+sF=J@!f+m>b<B%6(<`ChS?A+@g+XMzTPqu7GDu+K
zom4o+NORTtATz10_qn((MvcO6JH4CpDLie``eIr*h}1^AHF5_5F-VS_V75W}q*hoV
z$YsUe7<-Uup`}1NmKCjT?)PzsCOn(5S*jd51Rk9;6GL(GH=`s#O4ay0lUt2a-<xnv
zktV@=WQPFtcqeO$+iRQ^BOrEE12ZhQj`%e)k9}~<*BukH>n#)mvrDvM!Z#TX343qx
zv2q$3Uc0coW1rSmnOF+QvMPLchl|_PHVi_82qmM2oB=XRkfY2ScfSks1YgC#uW{$_
zU@UB#6UdE^%5fE1dy}OtNAOczIyQmi46C8$h@*c3{*Mi*yq_^K9%S)WNHk`%!}-#=
z_S5wisSGi#4<Pn+wehoZstt{}2t3YNWz#Su!9{4dUPHBFT^y%X@g5#kz|1x47M_MX
zw6CKk<+xPdxzVDqcv{D9KXrj@2FOW(&oz9gs&x+nQQMLVMP)~05<{F>q#2X)f~F>3
z&(@}NIpaXx@&WS+)?fr&T{aC#EcJ?FbG5h`B9vEbJ4XuVBHF#5lae9ICX=@6fg+C>
z8Suh2UMyO_>?bGFwo7x7ZTgrcp_-Y6UE>)<m}iGF51u<Ds}975ZtxJJ34YJ7n!Mc~
zKo+)lx9EAcymr>F`f8l`X{qqYn~l8Dc@e_5?D?cCl3|2|6$BcIrIgbiReG_r9>nt7
zxMyvKmHptntX!oM@Wwc8E@Xb!Sj6K%L{ryDA@`7|&6$};d;;XRX>;C4k*YOV+4QM`
z4^k6?3E6Pxl9GW17Y6J7WkPop>bsDSQhTD$T#?;-hcPIDc<Z>aDx0EBGTWNxGbUYA
zYh!fliw-sb;!^KW$GvpMc*kLpgq9nkh-F8Coqz7Y^ld@b9u-_sL(KA!ZHSd=fE1yp
zt%Id%4<hNajGkB5_{O@Yj!ao7;CmOtDw8Ah;!u%f4m=5FFVWd-fNV-Hio0zN57)#t
zQn)tU8C0cZYadyx8W~w+b%qGk+;u1#itr(Dqv42qLLQb^bpy*fD$hgbQj}c>y;&$W
zQyqr+Y~Iq&C8slp{@#=eBpiLM<l{s`_LiDt?ryocBBdHC;Kg3r4zVVDQzC%}ldDNp
zFJv?7oOm3hW%O>BvjKTtxo6PfCfI!pENG<1{q`gtw>R?cU(%Kw=d@*H6un`GU3I@&
zaN7Cz`k2}Wc9f8V0_E1h?_rm(rqN%BqTC#>(hA;OQodGfJteL|T-{|Dj;(EqhJG@i
zHPv-*he{hwbKTESzTRh93G&&tqDy2Bx{Kedho7~tSf>EaGR6bNL(N1x>O8kmVe+O(
z8Fr*DD{;BA5`<R=Hu786rOhia2Q!dmR^%A$hs{a8FN_kOcHt6f#(2I40dObfTSjv{
zoU>Nu&L$Q?>b;Xr(UFen&FLgpYjs9<^tIx;Lnq80To6vztnGli1)50#$5I?&Nm$H#
zzdPH#*td{~(!CnjwsR2n=SIJ8&KK{tL*(AfF<3m6#w8#x6Mt<-^NOuccinBo4kOEL
zDDIjFghW>s$h9YwMYzCKIbPUHE)2nnhz(0W)$WiFE;Fd-egMW?r4<`j4J(|u>D%t;
zb4s%3q2aV!iOrm9p`%tbenk#y)1v~2Mz6-r+)+ImjLd=DumurRna`X+qB0FV`8pF<
z8b%I~NCNr0tqY1sBeN3p$q&Q2y$}X<zmDdC&Q@aKQ1G^8K?YF)JsZvD6x<`F(rvb$
z0;r76;iPF|cN2l1cvAG+K6gQ`V9Z*x<O$kz%I;8W-I60BSpH#^??Dj;DB6&@M7iiJ
zlx!KeS_CgiKzs=oi5U1IJ5UxREN$eqEkXAfVjt9%b$7O{sKsh^RO{nvYgqeoUu6Mw
zkb|5Yj=_Q?m-DFYro0qg_Eh)b1q7CSZ=H}@W=(@{*^IS4S0Fok++PM^qt%AAid`rX
z1)WotD<(GA%;8FDHhk-bS;w)DgOFRf{pE!F=M%aQq?qx{ny-g`WY^J_#n-Fi3dQJl
zBl(y_BkO3h3ilLqmARF=roc9^D|WJkYndjmkGNbOMvBc&Lu?OLENzfGNMyzsG{nI8
z5M)q%!Dj)%k>XUFYi4DjS6AAmVbcZ(v1epqS6suh51(?86i<{>T3V_byG;(|W!DJT
zBh1&GELvfOo-bt2kvh9a5NE6w9az{0b5eygBNlSgOU@WkASWX@p|GTe2OX=vv0Krq
zU3xbT!B+P=y%ddu#P^D+FA;`IU=Jh<&A8rIyJ&XOEqUlM_jox3)n4!+*H%~3#@*m@
zgRF-ryys1S2&lotwQUW!P~AIuQYb&cRFHzn*T%Yv8<Z6)Y<q!O*??vX98+qtR#O<8
zLC&$XO6miBGlAy6mHBC5Bl})bNNCjo<MG***Cu-^!opCZ%eXHvXt_j8N~@ZXN;gV7
zDVY-UNblM?BBQ>?dXk^Vi*(!%8yB07_z17YBU=HhX&xCSgc+#wj`vJo?I@TA5ql<~
z*3x-k@D<HfDU#uqxVuYRP9j&CHqCzO7@Olpi**$7#tYa{6$q6_9L&%Zv*j9Yw5<lm
zW7aRgac-lAE<JzO>!&+w+uq>W%z4C|ixq;{sWcUdu{to&VE|?U2X~3t9DxzSSOhaK
znlNfnI+9F1H590n8222VJF#D!J;p!X6=HXZ98tYcT>~8?RV3CSGj)-9+bYyHs!uGj
zyHe?)1<@HfU9&YPd<o^!SK1@8z8Z(6<G^AnRaLpN9CT&sm3-JNjN4IpzPq1Kd|{qY
zEoAFd8@WIMqDgr6DzIgBY6oe~!3kKKrX*^0sf?nAD7Fsm;n4fyHG%h`wVZt-K6Vv|
zZSFkYyYAq_d9UDZ5M8ByzuikcrR~t8-82W(hZh(s?_k>%8EPsUry7v`%1JB4WY`%g
zFqz%^#)SmI48r1J+65LmAKrBpKGej{qxQo*3DCLF*-3Y0;b<3}x?c{XbQBZ>>}JKD
zycmaF9S&`HL`3)4$Cp75cUafD4r^k=WLXXj4W*Iwy>hYgE5?Zw(`f5zgC9lUsHDzV
zuKoUkSi6ERkaSIOX?{vVO<%?Ojsm*=L>!<HWYb*nfH5hH?tRoJ4yD&8z$RKvW*==T
zysV;J@Xtc!RqR41nd4$vL*9o~7Bvhobr)oWmv|&L)kfkgl3t}df%B$=(uVs8<eKr5
z#v?*s-8R>Qy}GP@oFhreSTvFw?-D&j#lb5Lic&J3)@9YBSONw?0#vfXPV#TqcHGkD
z5cI9!sLfQ*;mYVE{YXbvw(Y5<Cm}1XoVb-0s;b3mHHbWiuY6Ex!Rp8Cx^T2I+qaW}
zfv87J4aEwiYp(vqm>Vnr>1>W>pp$l*Va>-6$4rn(HsOk)^x*6s`V+O<B&5GPTCEb@
zd2y>3p?8VrVQzS@nv8wmYjp{EfoBL_D{e&)mOSiELJu^)3w&C>6#UH<1TUv7%hS=m
zj6vck(ZLz0BeP2h33W?aa3DCLX>ITGuzJv}`8+r~`XbeXwFl*KWK;KawFjvf&56=d
z8em^9j+CAlO4x&hrynsWgcQr6Uty<ALtuN@Z8|}|f<QaR7-MtVf<hKUw$;-vo$p}v
z(3e|oFv*xjL44t9zuu}45~A6nFeu|{RX^?(;9Jl!jE_vm*T$uYV1h~(rDBpfzv4oM
zX8WCu-1f&BshzE&fVFULKrF!9a#*r8vSrDD)6i^KVYKBd%p4gmJYm;!LWW1|Hi|i@
zehm9gj4x$tVKbO~C~HbkfTiPDJ!lQWdGw%edAK<lb)dIdu!4`|t@LfQ)RoN{*BRC?
z^aFTeRx~Q4y$0P~Vzc3==r&YKN^u0vn|>dklfV}-6WKeFWk_p|^LZypLlp6aY^wJn
z-}+p!iP{YUq3p7h7c9Plh-rjQO775@wONsBbUTlWvBvK;22S#lJNoWuBz34F+5}1W
z!qC<7aIOdl!EAk78g>S9o)%^YGJC#*m_!D)TCl}5m(GLTp(c+NU{~EE*4|NSc|i}C
zF7X|p+Mz4hx(2`qeZteoZW1cFas9fhIMhY<phVKZqczZX5>Fcn8J!%fXr+6jI#*G}
zmQ2SW7;BUDh_h86FA?1@SRhfCVIGhaSnGne5PTjQ?x>uqo+M3K2R^Qr+;KPa7Z=@K
zI*4lh%7q;zxQ9597LKwVomeL;lQ_sRsCXG@ezz5kS_S14=QD6bYH^FkLtD?y$n+rz
zRV;<>?e!)%oiQG`lER72(UTnNe%rVl+gtjk1Fri;K1!P$v5us9ZrcuIyqa>{FpCWZ
zdWP6{^nmU}WsrBYlV)el4DT*SZp4JTotiDBs}App$7OZfhqEhn8x7>{Rsw&gauGUk
zTucMQ{}!zTYhkmbTo+|~Kg?J>5CYFrGjO=gGYU`g5%}<23s&e^m9EzdSRF*LgXj$m
zif$Q>%@4tC->vGhjq{z7yI@O;<}+7-P)j>rdnVK{Z?1~%4j;Q?bK3>iWXFtKD3Y$K
zk#3!9bTS&c5!1FAu`N4*!Uu%i4+rKz>lj5Y-gQH1B{|H5EnuX}N(d=+d|X0tY{unn
zzrD;`Z3c-dL_hO7aBV!^;z<Kk7wJwCuZ!3PX>Yz-2PZu=&51tbhc4VDas<gP1*#p~
zD*~E;6|anlEUwO}CfSM-t^7iS1qa<<gm5ZM{4gnfu5-8Pu2M9Ko>v?R-44T6ZkEN{
z`U|zikeCrWdO=4V?8c9p27HxT4#IY!E5~yh<hUx7tx*HB=$ssql>^z6lE@h@$S`U$
z`K{=^P&~H*pTMA;a-U#_6~Dh!nzOAFecVn`s=KVeU(Y9oYuS0GA)ByIGG?;d_2S%=
z1f*hhl)iPRWEmbcpNG!P<HFt7y2RZ<n&qyFN{zGIiNDo*P{MG7<{8)nB$ZASE3f)#
zn3WMRjtV~<5vD`o6(w0%50@aqJGjznm!{51-(yvCLc9CDxZqGSTqiuwhViD}+PiwY
z+Q|^OH`ULQMPHqh79=3~&Ir=hlXjU>iB<$k`?MTk97?rl5n6R?VKf>4?3zZo&b*Bw
zpeR8eFwYpkLXv@zA#F>B8eqaLD5JWf$+^O2_i#{z1ymY9_T8)uUhG2k3=A?^6As9j
zUqNDw1wwQj(ap+%afz9&upwup0iI9{!qYq4^2BvSPdBJ{*MSF$Pn)vBCJtwfF&ejP
zU?tb$c?Ie^TFVde20=m9zmg*B3Bj50dc4BL-4iG(5}-Y(?Z%H4+&f23X_!*efTNds
ztUQ2l>b$zapm?CXZ>xDZlCw&~k>7jUppRYGx@J_WK!koldu-<xxnN1oURBQOYANYD
zJTiU^yeYeGOZV6{Alb?S1-Uvioq}<Zxj*|zO(YiN_yL38`xOaFy;fUyt0}FQ(Kw@H
zxGrP-(V~e(2m%6>W_OpO)XM6nF|*NxS!(zv&VdTDz%wIBRS%|cRVJHqe^T~a`QU7^
zpx^B*X_EBuxCT;YVa+*9y8B8_QzKI)S5D?5#Ia_gUQEuRP@d_9*q_QC1e6G-$>g1g
z$VW9(lgUVqvt1N}EVZcC99(U>NhsOtz)B+u78DOrhtdSTrJby<wsQCJD9;gC<=UZK
z&6m@CG55RmsVy6QETv!vBAX&8O}<~wX#$xE3aarUO%)hyO%PsT3_y=A-BPQjb^@_6
z4-i%Z-xj7<DCac^>r|Zp3IlYI-o!5vv}^D+*@gMZ2F3P^1Z+&9+u}Qd>Z#E+lw-E)
zCS^HMXyN4B<`&CqpnyUnTc1I2w7qYj^=<D=ce7`LGuK_2gxqe%$nPqk6R0!-y$6Aj
z-7>9}ohhgS-ffTm<mQ1aGO3M(R|)bx;=apPny|YNOH3qM#8T9?1971s;3~Ubxf=s`
zQLW7BDcMgW2pnDlS0HeAkTX98Zr_<@*zLGG_^@|%tl?OTjYFrKLwe=b4JJDYwld8&
z*u@=>&&ef?k0pwlE1!;pP#5nISb4XLS2?-WT`&y2m<Y&B0w)$X?>-V4H7IiQ*0`WE
zC(5F;6R3F#ZEvc;zSywXq7u+XUh`hk624DahY9AwBaiI7lWASpXh#dA+OI62Co>N_
z_2tr`p~)m^hJXO3sJQ;lfXGo**JYUAsnuvRsyAli8a@>jsV4N=PDRp;L@({_@pid`
zLQNN>m#8V;w4i!qZV<wQvUuUZiHJEO>w84i^c`vFy;o49y}91e(3xy^my~dSYryfV
zS(|TTF;xemnuY6bqBRvV+QLy4$=hQ4L@YoMd|<I`UpXE>uc+*P=+Jqa=4i;^=i!_W
zc_uDakQKwOG(*qXiqJjYoj~AxPabTNRDd)o9H6S?u5h|R5;C1o_IwTtmayY^z3P@$
zTz9$Zgo@F1XC|wm*ms#Z1aWp_03mo*1Qw4F6Tsub!&;?XVkbKN*|C&nlwBa`RywCA
zuyum1NlLw45J7y&4Z7}YhY_TBhS<VcI;O-u-3sy8Z<V>z*LYrQgA(vG1#&<5z;!n8
z$CYV)o>mPAfm~sH%0#jz@A10Z(^gqJjc00`TtUcoK)NW-t6J}o;<6ur>p-nicT@R#
zZ*#T>vZRoTR2+9+<-?j4i<#@>!zC&yzN8DO15sFi30=fmgB3<Fpb|zuugn?jjZu%3
z>gBRaP$*bXVDc&lxv{f+&9}u?Ie^I9I5qp|+!_ITzXKQ}36CHPh3t(elxqy02B8MJ
zBU%=Sj?@#QE75+N6$D}HIeR*VwgK3-b!j^Vdk~o^cWW&IITwQyC>wPT_u7ltagA&p
ze*-lf*6mK7I$W~sv@9BGtams0x*<;-hzf3YHFi=Pw>p+rbadh_+hx+SLO^u@&-c54
z*+a2m3zN4tnHwk<0rUh1W6NLDExtcW>BVH^v>JB1Ufk|LeREUa;Qk_lVp>wM5GT^H
z0g`V;uDEzX=F@Z&W#2wkv}pEw+P(AfP~MAv@7g;Ql!jw+A-D9D6F}C^4Ff{@myzxv
z0qv4AERBl4M@0OJYckp`NFEq>)6DUNr@G;Ek<ARf%PtA$bM4%?^KsMMYpS>^VFw(~
za6D-xu;Gb|d`hq=?Sv7W6PkBdeL64=wa*U}MnqQc*q~5ido6iW-_f+;CRngvR*=~)
zSuI`+i{yJPIi2<(&E)L+^ma$La6gngua)oS$u(`Y97ZP>ckucOb1m>QitJGBps9dq
zDWqW~iD_~Jx2Kdw3@X=6a9)L4j?CqDy&8#d-?llu=C>d@`8eSye$P9enFPOg@H>C$
zal-M}eeIiPCSM$w1qV+*^Y47}gB#(mM{k~)d<`5E{R^J}h#&f=uRg=y^X&Qc@|nr^
ze8a!|vk$~=_T^_LzwodA<bUz}%p^D$`geji&P@K^U;P*-o}><B-LA=&C~Gu}<xAn#
zTTL&vN7Y61L6FvB%`H)l@^em5NADtMT>>oZ{Qy-oNfV5Ai|%M=f;{73dou9)Em_18
zS6r>OWKl^&e_9SnOByvdc6NW+8cM&@8zzYo=mH!nb<({9b{wb*l$XQBW_>yxEnV90
z(WrNa@d9*AvcXZ0Z3UwNnXy4&I}DSe&}3!EVQvHwWi%h5b}?M>YdKApJT=G6^lG`{
zchVAwpvr~Mj+?1qL@VoCN3Mb}yNJ<tO+(mLqN_V7@rwhs21lk8Y67{}!|onlYtz|-
zUmQt~QUwz=$KZ5$q(BKis%?iOh^S+HzL6nY9hzv}U5Bf%Dsi?ij@D|ozet3jFqBv4
z9;&4t-f>fmTvMiw_U7@rEKCuP!$MR<22Pj-x3LuBAf~xpd8fD5zKf+1TX^t8O*$!i
z+Z71f@z^mIrDA{2uHbkk<yF+Ocf$JQ0h7-+6^~4}taQ2NSk6`Xs`2*axstW`P*Hv*
z31SQ?;_g?K&UM5q@~*37+Ldl3?xkY~+0M1ZGxHK(Ov)#W?V^KpG$<&QBdo9q%Q45(
zMZyg)IwUg%V!R$u-4_yxgH;^lF);m`>;8OHB`4oEp3KfNFQlwppK!eiyvs1~x>jd}
zgO{2_Xp9Led_ZjG)>gn*;{@+vcwd1hP_$D@B>p@!?NH=MU&OXhVB53al%NWfyXU@&
zsNFzW=lzwpopaJlFn%OTbhkF4VU2^5fRw!NFX-t6EUIP&q~&}O8n@eR)}?%$JEX1`
zP^!f}R?vU@&))IZCcv8f&wuc-g8uUP<u&<OMW6iO$NumioZeWI;^|fR_x|bw@o#?J
zd*11IIY9h}-}^xPj^t&;XYctU;v2u{#EGAH75>imKM=p+>)-P(tNd60n+Kxu_{EUt
zr@tR3qaSE*tnxpzys^r^^Zj6ze<Hg2)5%#DnKnQTRKV40MF4Z*R#A|7&n6TcKiCro
zld%g|n2ZgNsSF4?>yun65y+!ASo;6;_3g3K>}Or4hbnZiDF!Qw#x#bYGCiH^&dwxo
z;@t1EJNKP2A@0uZ%<k;Y?A&&CW(i4Ag9;dIgQAg3fd5PY1BQY%ikKE8f(QXg|G)}~
ziZQW3BtfP4>}lV_>05gK*f)7^&(1#kd%oZ2^7(uot)5FRl3T8$TS~7WnVfsMzrzoZ
z^9ZFG8sXRIvP=&{ux3txAv+Yu#taV+P0BT8U$};e+sg~C!XT5|18<_@nQ_NH<jaKQ
zOTfZy%-tG(J$3fsd>*uiQSI<U5v^bfIC-a|4}G1&ROuUgbJP}UpfS_an=1-qlp>NC
z?je$U94@!^l;0jMO3fHO;uo}aDFC{Vcyq}yGd}Jb4$vxsc)AVM&h~5Fy_y&tB+I$o
z5=Zh*Z2iJt`NK#K@gQbpSyY0~ZZj*zBnGomzEHSyF9Y)tMyeDy-?>pMxELYzrdJ--
zAfe*y5{IbUcG^j`@J!lsXLBt>GW*z+0mo!8C&5v_a4?)b<kRSlD<B8ah&{#><PE;!
zv!Q#)_A=_2^SaHshivaLHWcm;Q)1SxX0Tc#S~@VW(0dQ_0UDhl;}VfzFRw0Az?SG`
z%U5!Daqp~M<O?%fPsCBs+e5bArfuFl79C?%;s&xKH;P%AB3KdThRAYMFI{T6M{Hs+
z{JH{)O4#l(al2NJ8>#Dj()QGyD60zxtFcyh!+92r>t?rZ2%ZO46*M&N<0|9b_=xlH
z7k8cBDGGII^<Ee)nE6>Gz}NM*=kp3+tdLsYeUlGZMXKAGuL}ewfk%1+Y_e(v$EwO@
z=`mX@XgXF2Ib&nbtYm@hZX|uCtUIpu$~tkZrrLGM`kF_VBeL0P45x_)g8dLg&^L$g
ze4Cj3nt%3;puZ5l9FyHUJ`<DQ^`$SO{P+LTtM3=T{b}*r{@Od=CMIA1pHGWl{8XuV
zGbW$bUc}@_zUi|u3D#a0fB&m@^1|oW_T_?XPdk=AGrBixCsW)35SvdUO|6%ei8Hq;
z33t+Rm-=~Z0oSrK8vYI=d9mpfXxd-&D~{YnKiR0>H32ZWvP-OCB~G^t>l9a}jM8!K
z%Gm|LeH<CM2OH64qPS-d>yoNDU|aAaB3LbUGRPxyG!IsoXU*=iHE0x|X)9F7J7T?I
z%G-?(&f;MrTpNgL_<VM5o9@&FqgrvGTTr_5%8Us6yy&~h+vNC_6H}?a<42s#q=-l>
z%ziX=#S=GgrYlEKHx*FLH#K8`j3FZ4yOlGCYo?U8o+}+%tFBM7S*P84yaAl9<M)b*
z5`p*VFs!J7uuRq^b2vWk3w1kAKC((yWwQxf^GfxbLAtH*jX9_n*LIfKKH?U`c_TOT
zcF6ao(gVs$*vzLRc3<Fe?syl2L*P~tfj&BL{4H5yOUxml21?o0;*<q)d$O(*QB+vJ
z6b+AJYX{gzD85y_PA4DxIyEFD&%Nalu+}h(&yAho>q6IRo8G@16!uuQmnhiGYO}}Y
zE6139awb}{*8!+zM**7Iw;U;z`vfC;m|C(u3W(K%^Jq#vd>9FvhpSs3CcD@HqL-FN
zj~<F#_?uJgRHiSxXFjSYq(SfTllo<@4d|a4FkO~1^#LE;XMsDr%lqN91`xvma@C5u
zf-r&msF!THcd?;MTAV_T*nC6px45^rfNHx+$>J<;!~~EU-iCb$`MM8qY@TT2%pHRL
zmEZw;EH5itS>5uKB36jwr;F^O-ZAPrubn$C4aW=P8LDSrJ`54`f$#s4w~3&C@paD#
z`quyS)(9Ft@`n-h&R=~ILE492m)`MHoq2ATC}u6=EEtJqW0PkS;k_houkM`7O+Ey+
zh=zL?5M$FBa<|7Saqs#{q4WiAI6gok+ZE%+awK-x>}<QtcSVG^qCvxQ!)!qK0b|L9
zy1!lfQc|Q#GGC9Le0SS+OfL1Nf6R<@&?ARZnjI=0&-c-(?g+7o$|W5Itm|rILFB+S
z>`RMwS9fdzct$$30M$8378LMx*Niu3adoqBAE5+H!*#+z4DkW@l_Uy*1>nRHad(tM
zHr|9uO+Y8ckcq9QDW|Gb_``#b{1{cT`&~Oi%M*aEjROWwK-fL6%EUZCXXUabb7`Y3
zR|#Bic!2F%A#Bh4C@9YrE>be%TtYSE7ci32>9Un~3uNbj>_KB0tynf42BahOz#Vd;
z+MfF5va|1#J>96ss?c!|tXN*<fz~!_duQE&PPBm>5Ls80MCEu?VK6S>g>YG~HCA5b
z9?tI<aYBa|)MPcaP^^XA#KpGg_(`wW)ZT4zm0GTldB8=1pK-+);Y-}=H|1gxQGWy-
z&C6i4CV)!B3uqV=P{`N4Et_^<SdP3{s(?#eY@zNa;o7(<O2I1R(wo_Mtr*9BZ432v
z;pi9P($HH}g$CrD%+2VZW>I4f4PI56c-Cv^h4$ov581Wxh|EP^7)7cFM&^^cMDJWt
zfg=nA2W)7?^X^LBr8IcQ(PDEWmjG0KaOH%MRt+iy+$vuK^e=R7YR3RUhA>vdoUN7P
zVqNW*Kx`xI6$iZ)(rfPNQn~ZDd+t2EK?5C=0^lGWlO61Szdr=rGlKs14}8hn+-lyB
zJtOFMotJO5XB0hi*Khyv&)#YfJ+HoB`_NB=#ees~FQ`Tex$95;@YCWqf8IU$-_)nY
zuf2cg3+*-OqrdX%Yw!Ko)8e1|rgywel>h1Pcv{51>8(-zwD#hjWWV>bQU2O{KmNM(
z(O;(BjwEaf8bICD+^lwcArt@-!FfcW9ln5JLYwu3_kgVFaTOX&5$zC}&-tq83BgH2
zCY&2TCdd0~+PaG22Rja5@%s&PZ05lC0`yFHTlKE)W9SP3b-&odzyP7$D-(0uotU3c
zMyMa!d76ABaPvI}g=9)tm-T&tI%Np3jQt5KRcny+Yg3!N%v$}CM+lq+Oleuh_e<9H
z^hj(BP0dSjyS+ty=j{(YdpmCOlb9Bvg_|pL1n!71lYwbTJ1R{O{$Nb9kX{Oy8<o?h
zoL%5DW&mGP?^`n1>bcq57+HzI33~m)m9p=PA=1DdvY?vb-bcoSmAPGGHYAgfhcekm
zXV&nC1$&pYha((T%WGCWgqrHf+y(O9eM9N!;b4^KYtfp}IxAhDS5N3JRLxlCVCX5G
z?Q{=Au+chBD`1&ky-Sjm(M^&LfWR1q!P2BH17A|MA{yL9H2wVWpf?mm3qM*PH>E4W
zW#3~v_%bo=5uHTKgXV*UqqQVOhkhIFj_2!=*y^IHbL$%E0VlGQ>2{R%k5$u@RcxNO
zH`dK=N6WlC!e*9r!gqM}(ZNKUT-~&GADW999)a~hiwW7Ns#F=|a<&tvEIMi%7zA}N
zEDf{W(c*OhuxzSnb3%%TM$E=E@PQ=7^WX%%VhkA~@o-iFTFC4@kj^+mcRTia8sC~3
zF(0Mv)t(Yg&>DLPZ_{bdxi`)hPkayE4-KG`Xn#e7gEH`gsl-I&`v;1+uDBeCv+6A?
zIblt?4Pf_pe4y}P`?ybGN&O5&(Cr)l*ef4~4D|VWxySRRf9vmN&j|YG?pq`1H-GLs
zqc<W5bg|z1jV~hTD}VHL=_iFbEilW#)TX)@n*%EQN~}v;Wb)`>uiL@lT+nSRT8nk#
z7>uOl=kvZVfzI}5&#^Of8T`*ySc?~j)$bB83y-0?M+Y4V4ir1$M`-WgoEmN$?qIBd
zly%o3%b1D971{v(pdR$S>=&T|L;I;<$y_bBmvcg<07o(S3kW|s8#GWBu3mFOXxCHC
ztVAA%o=wuuy9aq_S+W$Csa&hpUK#<1eb~A>$a3AH36b~{$U&7N0Hasv-ATl27tIwN
zDZ>fcxoT1zXRDg|Q+66Sr(Fj&kRnK7=QTU5)e3x#>^BQ)ucQaOy|jJD1BQ|^#hZ1y
zFF=Gy39Hb(@eaP{SMBAo3Rd8u%GjPYg$i1IGu{~_!dlsL54V#8lOQ3DyL4=Va<#yt
zE%X+{)8lA(cbGPnJ9mjzZJ|vkc?;)C^Jp)DL+YS%bPGWV885fdLD^fBt)+=}8E*X?
zOt?ayG}Ht(8W5JeL%!zq#rfg@{CradKsemyX9Xc7JKD9G5ujUZe|eC{*q#Xw7eF*;
zV|ObO+Z<IAAP-sXJwRD!DOY^arqu(OsVG!lYlI8MJ;nJaAOv=OPdWHiG%%Wm&$w9J
zd=12=EU~z5w<m9*gQn1M<|-}nW*~we7AJ*TBk<Af`r;qXTZ(8NeQSAuxaUW+JuhY$
z+l?fLV|<?DzOPSE#t)G#v{X`oe9Mlpx-+nn&WT79j{v=l<7j(=Au6EqBov2U7qoWS
ztW3dNC)mVi4t4;1N~>9y1Y4<gz@REH3}CH+LkHs?=rD<vy6t=>^&o-i`^g33?ja?^
zsuU<4q|799s4pv~-NoaWR8TlVY3n?RmcYX+wx>v3SaX^J`tESxi`^m(+9b?IN1W`X
zphU~Uu$4{57QvFo6_rYM=ZH&aX*nX4v%i6g1A8ufmY}f<rC&IcDl>w-jci0NuH9w}
z@(`N<rpau)t^Fi~u*<Bn%}r?$9g)k7r$Lh(oQZJuD^|Jss&Q;}ToAE_bmsC=1xE@H
zBxh!*bM4k{cw1Wx`hdwIf!oy@k;yo?;hWAmFLiDg!;ry=Cln?u1T;AJ3w4*QG8n^Y
zLaw45-{?6^(I?*ualjca!xIVMFpe~IHefbzE|?R)lpwp;je;=^p%3}c;KVDVOdW@E
zE2uhm`;yQzX@TCcR#;9C193!ZUx0g<n=Cb>E~Y*?>IX3mx{Movggik;-tQx)CP3=$
zvb}851CX35=`>TWf!$XKOkb=MjZe5aNbzp6A4LvwXt&u;T|x1kgS!+r%8{!K+i=ey
z>!&&B%*!okYi*N=*bRtblO=yJcMKGm6miiX0k8>WHO@xM0fN&hH4V3`aENtKWw%cQ
zAokG^FZ}7z=exFw5rSQMkCgA7OCHyjv#d`1x`*LtPa3M)RobK6hG%OTqKUERgKKh`
zN;|02;xP=IWlTKcH=RB*>~VG?1*Orvv6imvaq_Av+?76+m#1#P!k6}of)Zl`I@OyC
zdkY!R{lLi*O#sWWaf0B!A)8^BVN1@ub0>&!AouX;ux14b=j#~|#YarHC)&;IjXVLj
zU5d!^1c*5eA^a7?G8RaNsL<p=`R0}|>*xmk9HWaZJr!h{y$*pXYy!9#@9Ig;NjMgE
z$0fbS8FxfBb`W;6U`qvObeX6I<Kd#GD^%LqHdNE3eZ(Ni=U0|~&W~I?7VT{78gb4G
zT%-8Ag9zM?0qA?PGjRu<j(LP_^;U(UF<}DXam`~eKp8`w*uw0lI|vR}fCkE8VdC26
zPRaW#(%PB8Q~;!bck3W4uVfpb3dgixsDqQa!USR|t81MQ{dHhco+ea}KIRuxHr5#n
zsx}B5Tw=yM$8o#WFKDz>#WJD^fKRn72WUnGW)wZ(fOC6sSbIlBi|Srxwc;vM$KF1I
zvJ1N$;qxC`Cp|6EL0vm#I;Ltg2&iYVmq9&-{_QHmI6LHgjtK}lNCWoV>sPV_$-tmR
znCMC+6yQ*pbEjz>wK7i|2S481^{o*kX1Zb|rH?f<0dDlfr(|Ax#A=5N(619aXMaLG
z8Mum`@tAIfGw#$CoWlD4s$=9V9)-n;9tx^WJkQ$}VdGqn`V=n?#=HP#KA;*kW{=#~
zAn3LUA3bFNw{<T@O;v<|qo=RcRKO2$axk2R7OO+RhaGc^y7u9TQnFqpofy!AfFu?J
zxYy%z@@6ft<Q5IRn3?5<t<`a*Yx@ECdzW={(AaiA;*W+qC+Lwq1Tq$@$AzXKJRMn~
zs4ezvdp%PuP`Ae6RGvUt!tCf0UBj{0u*uG}?uy*@6o?S=#7Uko&pig?dW9mIxCic1
zhL8Fd;KQZIva8OPj@oP<)@%FB03abgDK@<w_U@tY?=3+z8r)*xl@C(2LJ^?a_u2xL
z(&&snhD@q?63u}^VM>a2x$?^>wof-unD6LRQ`)US#A*|)>_AX(09z+lq&j-Q`a?m;
z&7eRuQ@QUdnXcCLkzL!{%W%NjiqjQH{Xx6&dWFfQ4?L&N2-f%QBSy0x;q^%lq8R9c
z8s@HsS>AW`Ee9eXq<@m-@t{BHTC=}OMAfCzwAbcYmLiPPV`yjbUW`a95NJ^q_e@rC
zrqP(VUtRFj-Im=MuKL|wx+xRtMKenq+eQPByHaR0dqa0MdMt7(LVzN&3zGrL%TADG
z;VyBVYcMCfI<z2>h3QAmo7Qk4-)EozKF(Ma0hpr&u+YYOK<R@a_bs%f6WOK6klmcO
z<}U6xQ<s?#5lj4<SZYY1m1aelm0{yOJJL08RD+jzAWL=J0C#*TdfCb5cH8N4PFa9N
zdYep*A%-t31o>5yy$6c{IWuW?=Y&e|Hb3aC13et=bg<SLip2L2s-1H)>4mklkLE?{
zi5&6=X2V=5GbRWlZ7=)v-L#k(L_F5?$|v*C5<$t&mKc12I87ON9_|QNr!mcr3He6l
z+k2h@Pi=WsQ!NtiG%=h+^TuySV1Z_<VO1<QB}<=3#vl-(X}awM0%z0Jcq2pq`Y)`?
z4OR0G-k%xzKlytv*Wu4B{exfjb?^U&Z`R>IDZKjHSN`ZPL(c!nzmL34W&hz{e_H&p
zzxcAnKlp>sRQB)5UsU#=`i@s$bAI}1G5ZkmHg)(ny#HzOXaD<KtB9wy7j^g<M48`^
z;eO5enb)OHeFrLK>#U|*fT8F0#m;y5*|N!L0hwUtoclQ<0aLzi6lnuYisRK-F!8{O
z_GRFKWZ}yI)hXjZ_w7+YibRXayV--lQsL4Q*-TY!1u)<=eZZe8Q1EVbs}Xn0Xm>*8
zIzCAE(~t>etdnZz+buxt4ih)vqc0DH&>eP8c7vHJG-2e@V9{-MLem)Qm^6ZF)$Rbk
zn>2RN5Xls@yM~?&<az}R)=}mT^<}$0=@fVInJOzyZk+<&x1IvNoFo*~Ar;X26qR9W
z@U5L053An+RB0(AfdL?zMB_k(@B|3FvN%>dqHe@9&^6QZ1vIY6%)KWLGY#{`gI2bC
zZ%oHrm}0ie_4N)(HsC08oEZXglFJE`258lB-BGY2wX2u7DBiB3Hr0uLsanQqC_#`0
z&|6V~;eHgiXM`ed5W(xE7)d=!V%l*z(EWVk1rVu0p*Epp6u={ob%O>a5FRFI!A(jy
zVO>QfO1TJ-vAifK%<WZxMg);pHKw27#QjP*(}*^H0|k<LJC9QBwTh<t01BKZsVgSx
z+BI!S9T16L7xZ{l_nLK$&Vhnz8)%56Ex_S{VY(0?B?qYS!n$w{^cExuze_6NNrrW2
z2sUOy#0r2h3(fOPXJ`iZ#Rhafj?pH)a-)Uk<UYyJy1xTn9Q1SQaP8V-L*^#8iRA0U
zbxtl~@@0YVH-Ti3CSCbc#)OwmYc)v$w0>^f;Cs0xPRx$e&qI3R;_R$>be%_>LW6HW
zji7LM`IZ5t<$V=&noXl6u$%TNxH@`9Q24LjE+&tMX9RundtZ*p7jxbBypWlfKJ`5i
zlfU$|_+4P}3!^u_;f*N&S@Nwh`PRAaC%*N~nEWM($?tJTNrH~%Xu|Y?SuHn!<cw~&
z%j_M4be$}(MrjxuAJnQsliApn?L7cx7~M+~c;BqX+9S^e3ui4kl7ldSG}riH;zn=U
zqPep<=2w~RuBRsD1$!e(3j!~^-iQ8wm23x$-1uR1yGL1+S5_7Z2mlq6>akM;xK6kr
zUuT&S^(HS-i}G=p1GRU{ZA=TCPGs{rKJ2~YDDPSRVBsrt6hs4=LOoVw?J!V#U`%cM
zFs1M-ezc$11K59eELQa3E|`#E4rp}2qBPt9F|C@008|a4dVv6FBTwAzH3*wW$)C6Z
z=p<AE1^C7Fid4($N0mv5a~rR;UU#zQ6H_WOake|ufeuYV<P3eMWquSbd%Fu_TyYot
z)(;eOvtF(^w4V0u{?_0dBVdF3aC@-8HLdA2kZV>o&ZD~wad*SDZj!|flrbad1Z7Ft
znEX+VP>B$zK++d2iSi{AuU$^aPgv9DBb5s#u=R?BvwS3G%TzW*17;5LzL#KN)q)}&
z6|ROH&}nhh4DrIqZ`(5QD3JGK>CKro2`qD`X;Jeg<c(@GcDNs1jo#-p5URY|7ek;)
z;0yT?5Hju!Wv_@LTaBj3FML7A%#D7-HJ3`7DWEv$X!IWD0w8`YsT+P&4#%SK+~`U!
z8u!@J-d-HY1ITIIlj~Gv1|Z;9sf5;YvYlAf3vWmc@~~<oiw?}M0qncxQ-8$RI$oyQ
z<^f76u+0ZMczZlyT60C4a}V+#r8JZNhTYCx#Utt^W1qyVy2Seacy&(;tbVX{yYzn(
zBIx`l-u=oa-}%ZLua|pc@BGDZ@r=p;_1w<#<`nk*uN7bY#;x{eU-^wM|B4q8^xfa`
zy1e|zeVJkYnx1wU*)W>!?G3A$D<jDSc58w1&SkKdZ6z(kxb;B;?6G&!^D2RZ5~}j`
zDLtJJE`6_wJdIJ3E)oiqYOcj`1#s&N=jj=N6f2^<pRiGiX200NJ|NP~)V|$j6nVXq
z1bM~*wRzM0USIe?f8)eyM=m*k$*naKQeqM5da5$+__o_Ey+oqZMDK>W?tHDz9FC?P
zxw>B0nI>T~f$thuxs1BBTI|=Gg)c6FY>)8Tia#rAec3q%1Ql17H%Pq}W`5^Y^ipB*
zEclfB=&>?2<qCl4yDdQNL7;Y~wRNs*h&yM&NlnM?ZYm0jPP_2z`53f-oPHrC@&#vw
z-cUdct=qKr)apfB@2j?gMttl+RZSr=;m?K@5<(;U{&I!I!(PUZ3$i`fCm<o+?8>)N
z#yC-{-C4TDwK2OZiGjWVaE$k~Z6Y3T-WljaGN6oPix%&(r^MNr<6=BL1P7m5iY@EX
zS+X^0p)Q_jr(zJIWVK@oY*=0QNN>fsodUrvbW!yzEvpBv6xkpT=cQH4>iw>CAO@@i
zX>2fD3OkJUJ_ou{kz+;I3cZJj4QQ!GV#!IS&XzW$aQa})B7CIhqmqK+g?8%U(`Pby
z>?wcf43N_sXf6aL`-4z9euQXTmn?6m<IMy=xSc;0o1usqEhYPbjBF?Fd1c;6Lkt=y
z>#p(@#saYqg2;gKtELl)w3Q6$e}1Ig`9a^~1|?gg0Np_NzCEtE2>hsE3_*^o<*A@8
zheC^`Wo<VzRt&dNIiC<ts&i1dHXT|AwX){id2sn+>1nvrnhnZy_$e6AP|)Npei?Id
zYn(0T615V+Z47bU4G3L~gLk?+J?G}`aadlCVS~l>fTB!kET>Lut9E6N`{h;GaN05&
z(mU^9i(z$q)K<@Jkv0>CD-2S&jJ(9+P+0X!+dF-)i;FlDa<>(0&@2U1J;@Vpq$*ea
ztN=pVtHxsAi1-9qmu3>#!3(<D0X(aaRhzoo`t`z113g_RsPB?Mi4A}bo?n4-2<lY>
z%+8}u19sS<@{yeCcN!b6^DVal9p(xOfYS4dqBDs3hI{=KUZ!HvpIlOz7bj}ucX*mE
z^da8sAUbo04wJIMl{itW<~Uz*5X8ndYZ7EcTaW`-Raa)>^XnWg9~h{aQQ%E^H&{)*
zm>w{iVWfIS*7!!f)5b8!OR*a7@(Euo6;%~(bQ31BmwOI?A<;m)^zPRo&+|@s_q*Sw
zE|{3-dG`xH|8frUJoBCtzrXWh>xR7i@mF8_?r(WoT>h!Iv-ro~@w6zu^Ybm9KlZ^t
z`Bz{08z28{r6DhW;)TWLEf!xslV737^l9-I|LNzR$>)#3nf$Tm9*=+XU*0^EzYWgh
zpLjmwpa0Hxzw!gH`Q-U}$>Nv2@((`!AD$NVfB(YbD{t&8{?G1<?I-cyeAD6&J-44c
zw^1q3uYO<utoHjpzg;f#`vzD|*5?OU(FhApp1Y|4hyMYZBVpMttkm82@B7QuVcWx&
z;QjlKhwkuK-v2&|{s2Y2&;HDQlm=Gqe&%1k`;9N^YyZ&~bStb!`KtBvk-zE(-*jvD
z%5#D9b3MwBz<QM5VgB`-Zv6zf^@pBL_&Kong?G&S&hWGt&VQsu*fH}jhtIY6Tr2vP
z9W&22c<mp*`;`bh{Cs_$m$gs-!t)J`Kl758f8@8m{`<b@xnt)0f9)+^mY1I(VNnx_
z6EsedOM+RDH1!$B{9AaJFR*+E9K(IZ^IhKaUqAO_eBT#=V?GX!`F-ZYpZhU>3!eM?
z|N6V$W?9p3{L<6n;iYAupS1{%X+HA8V)&`2tKCqC{e@4vKe2t+E0AKp@%lV}eB-D8
z<I}GG>o57^<KT~XJ^k^@&%f};M?dkp9Da%<iPuzE%dnddA9!PD^R0O<(}5o+SQ}l#
zO2f}?*MUFy%<>)jv#WPtZ6EyK_gUBCdK=(3&qw=;>|Jl;#K?X=+He2xOHO>(cm3=q
z-vdtk-T(8&Z~e$0{lwGaSHG>rcYOKNqWVAnNQ-a`{NDfje2c%@{^2uzp8M!e|Kii4
z@im|8zE8df+=qM+R`GG~ebarv_H^I#8GohwLyMocs*G0u@6+NtUVZ5q5%|<!278-c
S`MuwM^BMp5tFL|Z*Zx0~Xu8q>

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tcp/large-file-reassembly.bro b/testing/btest/core/tcp/large-file-reassembly.bro
new file mode 100644
index 0000000000..655d030d96
--- /dev/null
+++ b/testing/btest/core/tcp/large-file-reassembly.bro
@@ -0,0 +1,22 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/bigtransfer.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: btest-diff conn.log
+
+# The pcap has been truncated on purpose, so there's going to be large
+# gaps that are there by design and shouldn't trigger the "skip
+# deliveries" code paths because this test still needs to know about the
+# payloads being delivered around critical boundaries (e.g. 32-bit TCP
+# sequence wraparound and 32-bit data offsets).
+redef tcp_excessive_data_without_further_acks=0;
+
+event file_chunk(f: fa_file, data: string, off: count)
+	{
+	print "file_chunk", |data|, off, data;
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+	                    [$chunk_event=file_chunk]);
+	}

From 04344d09eb708c23fa22288d718ce5059c168eeb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 13:36:44 -0500
Subject: [PATCH 159/220] Update SNMP analyzer's DeliverPacket method
 signature.

---
 src/analyzer/protocol/snmp/SNMP.cc | 2 +-
 src/analyzer/protocol/snmp/SNMP.h  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
index bed2e3c12d..36282087fa 100644
--- a/src/analyzer/protocol/snmp/SNMP.cc
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -25,7 +25,7 @@ void SNMP_Analyzer::Done()
 	}
 
 void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
-                                  int seq, const IP_Hdr* ip, int caplen)
+                                  uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h
index 31f4450d9b..d01704d2ae 100644
--- a/src/analyzer/protocol/snmp/SNMP.h
+++ b/src/analyzer/protocol/snmp/SNMP.h
@@ -16,7 +16,7 @@ public:
 
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-	                           int seq, const IP_Hdr* ip, int caplen);
+	                           uint64 seq, const IP_Hdr* ip, int caplen);
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new SNMP_Analyzer(conn); }

From d4ef9f36930168574b78d548916c6f8eb7a16ce3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 16:32:23 -0500
Subject: [PATCH 160/220] Fix missing @load dependencies in some scripts.

And update the unit test which is supposed to catch such errors.
---
 scripts/policy/protocols/ssl/expiring-certs.bro  |  2 ++
 .../policy/protocols/ssl/extract-certs-pem.bro   |  1 +
 .../policy/protocols/ssl/log-hostcerts-only.bro  |  3 +++
 .../{unique_errors => errors}                    |  0
 testing/btest/coverage/bare-mode-errors.test     | 16 ++++------------
 5 files changed, 10 insertions(+), 12 deletions(-)
 rename testing/btest/Baseline/coverage.bare-mode-errors/{unique_errors => errors} (100%)

diff --git a/scripts/policy/protocols/ssl/expiring-certs.bro b/scripts/policy/protocols/ssl/expiring-certs.bro
index 230c9524cd..9c02c63784 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.bro
+++ b/scripts/policy/protocols/ssl/expiring-certs.bro
@@ -4,6 +4,8 @@
 
 @load base/protocols/ssl
 @load base/files/x509
+@load base/frameworks/notice
+@load base/utils/directions-and-hosts
 
 module SSL;
 
diff --git a/scripts/policy/protocols/ssl/extract-certs-pem.bro b/scripts/policy/protocols/ssl/extract-certs-pem.bro
index 1cfccb6556..549c6943e6 100644
--- a/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@@ -11,6 +11,7 @@
 
 @load base/protocols/ssl
 @load base/files/x509
+@load base/utils/directions-and-hosts
 
 module SSL;
 
diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index 75b1ae0423..f537616e7f 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -1,6 +1,9 @@
 ##! When this script is loaded, only the host certificates (client and server)
 ##! will be logged to x509.log. Logging of all other certificates will be suppressed.
 
+@load base/protocols/ssl
+@load base/files/x509
+
 module X509;
 
 export {
diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/unique_errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors
similarity index 100%
rename from testing/btest/Baseline/coverage.bare-mode-errors/unique_errors
rename to testing/btest/Baseline/coverage.bare-mode-errors/errors
diff --git a/testing/btest/coverage/bare-mode-errors.test b/testing/btest/coverage/bare-mode-errors.test
index 1910ef8e17..27e10373ea 100644
--- a/testing/btest/coverage/bare-mode-errors.test
+++ b/testing/btest/coverage/bare-mode-errors.test
@@ -1,17 +1,9 @@
 # Makes sure any given bro script in the scripts/ tree can be loaded in
-# bare mode without error.  btest-bg-run/btest-bg-wait are used to kill off
-# scripts that block after loading, e.g. start listening on a socket.
+# bare mode without error.
 #
 # Commonly, this test may fail if one forgets to @load some base/ scripts
-# when writing a new bro scripts. Look into "allerrors" to find out
-# which script had trouble.
-#
-# @TEST-SERIALIZE: comm
+# when writing a new bro scripts.
 #
 # @TEST-EXEC: test -d $DIST/scripts
-# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro -not -path '*/site/*'`; do echo "=== $script" >>allerrors; if echo "$script" | egrep -q 'communication/listen|controllee'; then rm -rf load_attempt .bgprocs; btest-bg-run load_attempt bro -b $script; btest-bg-wait -k 2; cat load_attempt/.stderr >>allerrors; else bro -b $script 2>>allerrors; fi done || exit 0
-# @TEST-EXEC: cat allerrors | grep -v "received termination signal" | fgrep -v -f %INPUT | grep -v '===' | sort | uniq > unique_errors
-# @TEST-EXEC: btest-diff unique_errors
-
-# White-list of tests to exclude because of cyclic load dependencies.
-scripts/base/protocols/ftp/utils.bro
+# @TEST-EXEC: for script in `find $DIST/scripts/ -name \*\.bro`; do bro -b --parse-only $script >>errors 2>&1; done
+# @TEST-EXEC: btest-diff errors

From c617be6f50d88f8771a238799e60c37179f9c982 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 9 Apr 2014 16:39:46 -0500
Subject: [PATCH 161/220] Remove unused data member of SMTP_Analyzer.

To silence a Coverity warning.
---
 src/analyzer/protocol/smtp/SMTP.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index cc12167d30..8caaf846b8 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -84,7 +84,6 @@ protected:
 	int pipelining;			// whether pipelining is supported
 	list<int> pending_cmd_q;	// to support pipelining
 	int skip_data;			// whether to skip message body
-	int orig_record_contents;	// keep the original record_contents
 	BroString* line_after_gap;	// last line before the first reply
 					// after a gap
 

From aa73d42120f5bfbdd8d25f69f0fd8d0f31dd2a94 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 10 Apr 2014 08:12:02 -0700
Subject: [PATCH 162/220] update dpd for tls 1.2

all tests still pass
---
 scripts/base/protocols/ssl/dpd.sig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index b36b9a5aa5..b888d84cec 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^(\x16\x03[\x00\x01\x02]..\x02...\x03[\x00\x01\x02]|...?\x04..\x00\x02).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
@@ -10,6 +10,6 @@ signature dpd_ssl_server {
 signature dpd_ssl_client {
   ip-proto == tcp
   # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
   tcp-state originator
 }

From a5fdf7996fc228bb56b49903e0a9fc3a979238e0 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 10 Apr 2014 08:32:33 -0700
Subject: [PATCH 163/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index f249570e3f..d99150801b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f249570e3fb4c83e532cc0813786f0ff60c4dea9
+Subproject commit d99150801b7844e082b5421d1efe4050702d350e

From 5d9fb1631c1a3eb48193cbf9009cf09390c6f2f6 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 10 Apr 2014 14:33:14 -0700
Subject: [PATCH 164/220] test for new ssl/tls dpd signature

---
 .../scripts.base.protocols.ssl.dpd/.stdout    |   8 ++++++++
 testing/btest/Traces/tls/ssl-v2.trace         | Bin 0 -> 3908 bytes
 .../btest/scripts/base/protocols/ssl/dpd.test |  19 ++++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
 create mode 100644 testing/btest/Traces/tls/ssl-v2.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/dpd.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
new file mode 100644
index 0000000000..b59ed28b18
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -0,0 +1,8 @@
+Start test run
+Client hello, 192.168.4.149, 91.227.4.92, 2
+Start test run
+Client hello, 192.150.187.164, 194.127.84.106, 2
+Client hello, 192.150.187.164, 194.127.84.106, 769
+Client hello, 192.150.187.164, 194.127.84.106, 769
+Start test run
+Client hello, 10.0.0.80, 68.233.76.12, 771
diff --git a/testing/btest/Traces/tls/ssl-v2.trace b/testing/btest/Traces/tls/ssl-v2.trace
new file mode 100644
index 0000000000000000000000000000000000000000..a97ea3fa153f35b0d423f0579e128b4f2d74b984
GIT binary patch
literal 3908
zcmd6qc{r47AII-!R@+Qt=8%*uogtMBCPfS9bVAvVAyQP9XlyY>(PB&tlC)ULDO(*m
zsqDlcEtYgLozh81hiPB5sKhC$_r9kWr{VSYJJ)qz*WAy{_4$3j-{1ZGo|*PbrMWmj
z0K=~@UjV@1<{ZV^xr{{s4)8r%KsVt@a!i4ipG~Wi99RZ`WzRZGU`Ya?p@5LK<^jRu
zaU~`)bFA5ezFds^@`YIh0FFQ`$MARphRG?=g{jf#GXm}_{kD({R=_=4U%6jvNa>4U
z0l*}&ED;%1z(kKL{cl{{1S=%v&{cCHU>!s!;N%n}V$vf-hn2`kcV0Xh{0OONjnT~(
z#*V8y3DQIPG_Bdp<1hiK-ZXbaMntznGT=cNT4RX5ui_>kszKt-Z;AZ57{CD)h@z1}
z0}=4?fR6z_30M*U9|!o;Socc|?Fbx~h`0QPsCub_$A2q~cp8%yyRjIh6_6p5RwztM
z#HWF|)epWZkci0*bYYr1^3?uN0sMmp(j`m8KW{8SL_f*6L^Uuszifnf0TFkX6X3bQ
z;o|`v&{zWeZk7NSh$A>uzU8tgB>7oF8{q&2!-zz{iitB)WXY58D+we9Zl$x4GHVjr
z$T8$xxjcVv2-nMq#-gH2WCq!0124pPQ-~3rMMGB<81g@R@w|e9HUw=pqOz3GHAM#T
z=b#On1Bdr`1~F8+*I-Q@sVtAFQn?|1n=GXt&Gp$7%$h!#Vgz3-Q)3o;zRCR6aBB>=
z^ZvX2ztJhcbp9P7Mg({PHVLo<m;z3KVc>XfoAuF>@||1riM^brr+r)f*%C{NXY|3l
zDLz|2^L%eV^18F+7%zZvNYlZ4;b2&7_LRSBwD+o~>K#d$qSyU<lAe`j_=XJP&6iZW
zDckPQjFa-`{rJ=|c*_%CkKTIc$(Z3f?$t#t8U5$mC_>xffQA_E^QtuW?*q=&<@Bsz
zaOhjq{UR^73*MI9|MNq+=8*0Q+r%?J9Pda|1U`7h!2W<7&)!ebQ?6Wg)0lNSB3^!m
zkI9KD%fEuIoeZM~ro^-d9jCZ>-@xgSiqC3x+&-n(lHPK~V=&J*JoR@uZo#|tuQnU!
zX?NNOSm+nlsfvBn(*|_9aVv`YL^}&I^D3^q!QnB0{W~Fe$Y4SkSkT?<zrQEfHKOLB
zQ~0cCLp`?s&Kc7_RCLb1lrYCz{na~1qBf>iSgF30zLm|1t~;YrTJ08>YMA|@#N5Bv
z?3WbvLc)RtE%&r*)dx3r&5I@{q)o5rI1-e3GE-&YM~@o8_W|c=PgedKuu$7O<YR1~
zYMM2NI`#c}of3~XSMZTKN^J$f;q`AL8F8~t-_oG^-~6G2dX!KvK1Pa+@y9D~;oc27
zVlg{u9#J8px+cnxu%pYz{H%3P&T-o+dR=KoEvHBE-P$GBjJ?`srnK|znfAPAT8sLu
zsV}ttIe7K;BJLkcgHQR(hjX^8s+la%plF$WvD^8BO4c;9Ijf39&K5&(xX4VFV)ZGx
z^PU`PtG~t}+>taLL31GS(dc9uGuzm5!f|Jt$p1!@E}y2^J31}X*>JjCKt$e41>g!F
zB527HF`M4@35aT1K(}gmTBe&KVhkMzjlgRF$Q`~NVjm-<=_E#L8CxVSZ_VLZ8ReF?
z3)aM~=6z1Sck|_I_bS~_l#5fl^3O-KU-5BO3fml)JhLNd>37OX&jLfY*&E46_4OCw
zl~wpW!{v3h`#u>m&8|A=rFz?*_$}Czd0_uxldFPSzf`fY+w;Srgs}L4(}g>k)egd2
zTIcbL670-_o*BoRZ^+ud+I#A%J-ZE_>gKXLe<r;g>Rdlt>GwSRd&j+xqn5KDY7E@>
zY!yYA2<{4Alz<m)Ygb)#&C)#iNPD1PFQnjr>nRfz=Ixx&wYQEv?Ku73$|LI>R}`B|
zWTx0PPfO)+tT`58WonIw?iWzfFND`xZb{v%HFdF`@x5!o&YQLkp_IedP(d&Z7%kcP
z4c0Z5N}mV;-_GwQT{B0Kn6Cy*n|+7px7@FEVY(@pNmhUIPiFkpf<dn$H8+>8OJ^^+
z?5nA%$V^+D*=5?O?smQ?>MW(it93FeZs0LmT(-qv-HwanwOAyEhsKGora8oH8*Xui
zibO2;D=faG`#_6j+|tB)!w;R}{mUYv2A+txH!ypZ*NyvKPbI{1I{l4{9F4ivu()d+
zZX)MpQs-P5=T6Z1N8~)#eAu~s99@{90*m*^W3z5<yNfYbpZ9gxN?!V`Z?8hJem^G=
zx2o>>iKwSux6fV=>m?mU#r1`_kq7Y@=j_YV$94V@I^O|rm!Z+yC8JLwmXAY3$3z_P
zgiS<i4AIfEU;-k%U6}PFSxSjOjXd|d$BOVjS}QDKQblzxmU|eVW1ULgb3USCK9Qsm
z`D0EEyRlrF-65Imc9=QVs=(h7rbYDO>=Y7Uc6~LFxbdXo1oEpdjVHfWMH<LA^0N#j
zVub{thF5heiZ5b!Y<F*S(f(X*@#?1;D~a8{t4vU__(AGK@++kB4~`?Bh2-bu56h=z
z(S=!th`9I@bprWkMB~b5jg_A*ClS-KVEPN&AIu;osS`22d6j&ifoK2rYZ<?!-qIJr
zVm8G9?1h62E!p(3U5%AUKG%9&`S9eb(MII|jpWDJM8>Q*5<;7ryXm+5%&l)KP5&5p
z>B!0CO?t0!Z|Gcv<is7*T`pbT3qCn#hBckMRBk`L{Q6~5=bsl1>>?N2BwDq3FX2x%
zzejyORB)(j2Bt*L(RkHxYnm<dW+9>C)vd=n<}ACbf6`IM=Etm;4DZ?sbu-ay9cu6F
z^uHb!F3CHwnm>hJwB8FpIJi8iGnJZYVr6Y$7@`$av477wZ|9&Ew>?4wgR)9;jxD#L
zeS6d5B9r?XA*PFR1!v6kvuW`ala2e?5yY_Estdh6UGuke`jxe;DP*Ph*KDkH6EP><
zZ%p6?1vg}+b%$14o)v!3ne#Zgc_7O>ShA*l7nPcX?<Zs`yT52#_Ss`@_glh^xC;X-
zHEa|_+mvQ)NO-qi)&07T)B5n<UaS6YMqXQbb;bPB*2zF3dQ;k&^e%th#*kfahLjI_
zc|WpuM!j){y&3-3Aln<jZmg0Xt^MEjrnw2;87#gsFwLFzZEq0Kp=6Xe=Ei2b8I60i
zZ2fOEH^EWSGde1=t>Dr68xdP6_=z;0lWI(n(bx<%+M?s1ojj~jc^h4rEr*EL6_q9;
zR!fQdWQfSMEpmMfH%w$SLZTHS#wv{x$GSE&{hzLz;lD31>N;<xM9gSJ#I=-(h-Rb-
oh{|J$wU8L4Iog?VdR-%Roh;)T<!Fa;Jo3}9>+f>t!n~RP0igkuLjV8(

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
new file mode 100644
index 0000000000..ff1f6385ec
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/ssl-v2.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load-sigs base/protocols/ssl/dpd.sig
+
+event bro_init()
+  {
+	print "Start test run";
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	print "Client hello", c$id$orig_h, c$id$resp_h, version;
+	}
+

From c741ea7c507445d60c55930d77ccf4f0648048cd Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 10 Apr 2014 14:34:12 -0700
Subject: [PATCH 165/220] Small logic fix for main ssl script.

Thank you, Jon
---
 scripts/base/protocols/ssl/main.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 75f7ad7364..5b974222a1 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -136,8 +136,10 @@ function finish(c: connection, remove_analyzer: bool)
 	{
 	log_record(c$ssl);
 	if ( remove_analyzer && disable_analyzer_after_detection && c?$ssl && c$ssl?$analyzer_id )
+		{
 		disable_analyzer(c$id, c$ssl$analyzer_id);
 		delete c$ssl$analyzer_id;
+		}
 	}
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5

From cc838c6b2e1d20bb8ae07bec91840eca13285dc6 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 10 Apr 2014 15:11:43 -0700
Subject: [PATCH 166/220] rip out state handline from ssl analyzer.

still seems to work, but basically untested.
---
 src/analyzer/protocol/ssl/ssl-analyzer.pac |  79 ++-----
 src/analyzer/protocol/ssl/ssl-protocol.pac | 249 ++++-----------------
 2 files changed, 55 insertions(+), 273 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..39388c448e 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -107,25 +107,6 @@ refine connection SSL_Conn += {
 	%cleanup{
 	%}
 
-	function proc_change_cipher_spec(rec: SSLRecord) : bool
-		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ChangeCipherSpec from %s at state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-		return true;
-		%}
-
-	function proc_application_data(rec: SSLRecord) : bool
-		%{
-		if ( state_ != STATE_CONN_ESTABLISHED &&
-		     (state_ != STATE_CLIENT_FINISHED && ! ${rec.is_orig}) )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ApplicationData from %s at state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-		return true;
-		%}
-
 	function proc_alert(rec: SSLRecord, level : int, desc : int) : bool
 		%{
 		BifEvent::generate_ssl_alert(bro_analyzer(), bro_analyzer()->Conn(),
@@ -267,11 +248,6 @@ refine connection SSL_Conn += {
 
 	function proc_v2_client_master_key(rec: SSLRecord, cipher_kind: int) : bool
 		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected v2 client master key message from %s in state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-
 		BifEvent::generate_ssl_established(bro_analyzer(),
 				bro_analyzer()->Conn());
 
@@ -285,17 +261,6 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_handshake(hs: Handshake, is_orig: bool) : bool
-		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected Handshake message %s from %s in state %s",
-				handshake_type_label(${hs.msg_type}).c_str(),
-				orig_label(is_orig).c_str(),
-				state_label(old_state_).c_str()));
-
-		return true;
-		%}
-
 	function proc_unknown_record(rec: SSLRecord) : bool
 		%{
 		bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s",
@@ -306,13 +271,8 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
-		if ( state_ == STATE_TRACK_LOST )
-			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
-				orig_label(${rec.is_orig}).c_str(),
-				state_label(old_state_).c_str()));
-
-		else if ( state_ == STATE_CONN_ESTABLISHED &&
-		          old_state_ == STATE_COMM_ENCRYPTED )
+		 if ( client_state_ == STATE_ENCRYPTED &&
+		          server_state_ == STATE_ENCRYPTED )
 			{
 			BifEvent::generate_ssl_established(bro_analyzer(),
 							bro_analyzer()->Conn());
@@ -322,10 +282,10 @@ refine connection SSL_Conn += {
 		%}
 };
 
-refine typeattr ChangeCipherSpec += &let {
-	proc : bool = $context.connection.proc_change_cipher_spec(rec)
-		&requires(state_changed);
-};
+#refine typeattr ChangeCipherSpec += &let {
+#	proc : bool = $context.connection.proc_change_cipher_spec(rec)
+#		&requires(state_changed);
+#};
 
 refine typeattr Alert += &let {
 	proc : bool = $context.connection.proc_alert(rec, level, description);
@@ -335,42 +295,37 @@ refine typeattr V2Error += &let {
 	proc : bool = $context.connection.proc_alert(rec, -1, error_code);
 };
 
-refine typeattr ApplicationData += &let {
-	proc : bool = $context.connection.proc_application_data(rec);
-};
+#refine typeattr ApplicationData += &let {
+#	proc : bool = $context.connection.proc_application_data(rec);
+#};
 
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,
-				session_id, csuits, 0)
-		&requires(state_changed);
+				session_id, csuits, 0);
 };
 
 refine typeattr V2ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version, 0,
-				challenge, session_id, 0, ciphers)
-		&requires(state_changed);
+				challenge, session_id, 0, ciphers);
 };
 
 refine typeattr ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version,
 			gmt_unix_time, random_bytes, session_id, cipher_suite, 0,
-			compression_method)
-		&requires(state_changed);
+			compression_method);
 };
 
 refine typeattr V2ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
-				conn_id_data, 0, 0, ciphers, 0)
-		&requires(state_changed);
+				conn_id_data, 0, 0, ciphers, 0);
 
 	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
 		&requires(proc);
 };
 
 refine typeattr Certificate += &let {
-	proc : bool = $context.connection.proc_v3_certificate(rec, certificates)
-		&requires(state_changed);
+	proc : bool = $context.connection.proc_v3_certificate(rec, certificates);
 };
 
 refine typeattr V2ClientMasterKey += &let {
@@ -382,9 +337,9 @@ refine typeattr UnknownHandshake += &let {
 	proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig);
 };
 
-refine typeattr Handshake += &let {
-	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
-};
+#refine typeattr Handshake += &let {
+#	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
+#};
 
 refine typeattr SessionTicketHandshake += &let {
 	proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig);
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 9368122eaa..7ee71df352 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -34,7 +34,7 @@ type SSLRecord(is_orig: bool) = record {
 	head4 : uint8;
 	rec : RecordText(this)[] &length=length, &requires(content_type);
 } &length = length+5, &byteorder=bigendian,
-  &let {
+	&let {
 	version : int =
 		$context.connection.determine_ssl_version(head0, head1, head2);
 
@@ -51,9 +51,8 @@ type SSLRecord(is_orig: bool) = record {
 	};
 };
 
-type RecordText(rec: SSLRecord) = case $context.connection.state() of {
-	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
-	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
+type RecordText(rec: SSLRecord) = case $context.connection.state(rec.is_orig) of {
+	STATE_ENCRYPTED
 		-> ciphertext : CiphertextRecord(rec);
 	default
 		-> plaintext : PlaintextRecord(rec);
@@ -82,64 +81,18 @@ type SSLExtension(rec: SSLRecord) = record {
 ######################################################################
 
 enum AnalyzerState {
-	STATE_INITIAL,
-	STATE_CLIENT_HELLO_RCVD,
-	STATE_IN_SERVER_HELLO,
-	STATE_SERVER_HELLO_DONE,
-	STATE_CLIENT_CERT,
-	STATE_CLIENT_KEY_WITH_CERT,
-	STATE_CLIENT_KEY_NO_CERT,
-	STATE_CLIENT_CERT_VERIFIED,
-	STATE_CLIENT_ENCRYPTED,
-	STATE_CLIENT_FINISHED,
-	STATE_ABBREV_SERVER_ENCRYPTED,
-	STATE_ABBREV_SERVER_FINISHED,
-	STATE_COMM_ENCRYPTED,
-	STATE_CONN_ESTABLISHED,
-	STATE_V2_CL_MASTER_KEY_EXPECTED,
-
-	STATE_TRACK_LOST,
-	STATE_ANY
+	STATE_CLEAR,
+	STATE_ENCRYPTED
 };
 
 %code{
 	string state_label(int state_nr)
 		{
 		switch ( state_nr ) {
-		case STATE_INITIAL:
-			return string("INITIAL");
-		case STATE_CLIENT_HELLO_RCVD:
-			return string("CLIENT_HELLO_RCVD");
-		case STATE_IN_SERVER_HELLO:
-			return string("IN_SERVER_HELLO");
-		case STATE_SERVER_HELLO_DONE:
-			return string("SERVER_HELLO_DONE");
-		case STATE_CLIENT_CERT:
-			return string("CLIENT_CERT");
-		case STATE_CLIENT_KEY_WITH_CERT:
-			return string("CLIENT_KEY_WITH_CERT");
-		case STATE_CLIENT_KEY_NO_CERT:
-			return string("CLIENT_KEY_NO_CERT");
-		case STATE_CLIENT_CERT_VERIFIED:
-			return string("CLIENT_CERT_VERIFIED");
-		case STATE_CLIENT_ENCRYPTED:
-			return string("CLIENT_ENCRYPTED");
-		case STATE_CLIENT_FINISHED:
-			return string("CLIENT_FINISHED");
-		case STATE_ABBREV_SERVER_ENCRYPTED:
-			return string("ABBREV_SERVER_ENCRYPTED");
-		case STATE_ABBREV_SERVER_FINISHED:
-			return string("ABBREV_SERVER_FINISHED");
-		case STATE_COMM_ENCRYPTED:
-			return string("COMM_ENCRYPTED");
-		case STATE_CONN_ESTABLISHED:
-			return string("CONN_ESTABLISHED");
-		case STATE_V2_CL_MASTER_KEY_EXPECTED:
-			return string("STATE_V2_CL_MASTER_KEY_EXPECTED");
-		case STATE_TRACK_LOST:
-			return string("TRACK_LOST");
-		case STATE_ANY:
-			return string("ANY");
+		case STATE_CLEAR:
+			return string("CLEAR");
+		case STATE_ENCRYPTED:
+			return string("ENCRYPTED");
 
 		default:
 			return string(fmt("UNKNOWN (%d)", state_nr));
@@ -176,21 +129,7 @@ type ChangeCipherSpec(rec: SSLRecord) = record {
 	type : uint8;
 } &length = 1, &let {
 	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					 STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					 STATE_ABBREV_SERVER_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_KEY_NO_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT_VERIFIED,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
-					 STATE_CLIENT_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_ABBREV_SERVER_FINISHED,
-					 STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.lost_track();
+		$context.connection.startEncryption(rec.is_orig);
 };
 
 
@@ -209,7 +148,7 @@ type Alert(rec: SSLRecord) = record {
 ######################################################################
 
 type V2Error(rec: SSLRecord) = record {
-	data:   bytestring &restofdata &transient;
+	data : bytestring &restofdata &transient;
 } &let {
 	error_code : uint16 = ((rec.head3 << 8) | rec.head4);
 };
@@ -234,9 +173,7 @@ type ApplicationData(rec: SSLRecord) = record {
 ######################################################################
 
 # Hello Request is empty
-type HelloRequest(rec: SSLRecord) = empty &let {
-	hr: bool = $context.connection.set_hello_requested(true);
-};
+type HelloRequest(rec: SSLRecord) = empty;
 
 
 ######################################################################
@@ -257,13 +194,6 @@ type ClientHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_INITIAL,
-				STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
-		($context.connection.hello_requested() &&
-		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
-		$context.connection.lost_track();
 };
 
 
@@ -279,13 +209,6 @@ type V2ClientHello(rec: SSLRecord) = record {
 	session_id : uint8[session_len];
 	challenge : bytestring &length = chal_len;
 } &length = 6 + csuit_len + session_len + chal_len, &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_INITIAL,
-			STATE_CLIENT_HELLO_RCVD, rec.is_orig, true) ||
-		($context.connection.hello_requested() &&
-		 $context.connection.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, rec.is_orig, true)) ||
-		$context.connection.lost_track();
-
 	client_version : int = rec.version;
 };
 
@@ -306,11 +229,6 @@ type ServerHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-					   STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -329,14 +247,6 @@ type V2ServerHello(rec: SSLRecord) = record {
 	ciphers : uint24[ciph_len/3];
 	conn_id_data : bytestring &length = conn_id_len;
 } &let {
-	state_changed : bool =
-		(session_id_hit > 0 ?
-			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_CONN_ESTABLISHED, rec.is_orig, false) :
-			$context.connection.transition(STATE_CLIENT_HELLO_RCVD,
-				STATE_V2_CL_MASTER_KEY_EXPECTED, rec.is_orig, false)) ||
-		$context.connection.lost_track();
-
 	session_id_hit : uint8 = rec.head3;
 	cert_type : uint8 = rec.head4;
 };
@@ -357,12 +267,10 @@ type Certificate(rec: SSLRecord) = record {
 	length : uint24;
 	certificates : CertificateList &length = to_int()(length);
 } &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_CERT, rec.is_orig, true) ||
-		$context.connection.lost_track();
+	state_changed_client : bool =
+		$context.connection.startEncryption(true);
+	state_changed_server : bool =
+		$context.connection.startEncryption(false);
 };
 
 
@@ -373,11 +281,6 @@ type Certificate(rec: SSLRecord) = record {
 # For now ignore details; just eat up complete message
 type ServerKeyExchange(rec: SSLRecord) = record {
 	key : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-				STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -388,11 +291,6 @@ type ServerKeyExchange(rec: SSLRecord) = record {
 # For now, ignore Certificate Request Details; just eat up message.
 type CertificateRequest(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_IN_SERVER_HELLO, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 
@@ -401,12 +299,7 @@ type CertificateRequest(rec: SSLRecord) = record {
 ######################################################################
 
 # Server Hello Done is empty
-type ServerHelloDone(rec: SSLRecord) = empty &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_IN_SERVER_HELLO,
-					STATE_SERVER_HELLO_DONE, rec.is_orig, false) ||
-		$context.connection.lost_track();
-};
+type ServerHelloDone(rec: SSLRecord) = empty;
 
 
 ######################################################################
@@ -425,15 +318,6 @@ type ServerHelloDone(rec: SSLRecord) = empty &let {
 # encrypted anyway); just eat up message.
 type ClientKeyExchange(rec: SSLRecord) = record {
 	key : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_CLIENT_KEY_NO_CERT, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_CERT,
-					STATE_CLIENT_KEY_WITH_CERT, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 ######################################################################
@@ -449,11 +333,6 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 	en_key_data : bytestring &length = en_key_len &transient;
 	key_arg_data : bytestring &length = key_arg_len &transient;
 } &length = 7 + cl_key_len + en_key_len + key_arg_len, &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_V2_CL_MASTER_KEY_EXPECTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.lost_track();
-
 	cipher_kind : int = (((rec.head3 << 16) | (rec.head4 << 8)) | cipher_kind_8);
 };
 
@@ -465,11 +344,6 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 # For now, ignore Certificate Verify; just eat up the message.
 type CertificateVerify(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_KEY_WITH_CERT,
-					STATE_CLIENT_CERT_VERIFIED, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 
@@ -481,13 +355,6 @@ type CertificateVerify(rec: SSLRecord) = record {
 # so we will not be able to read those messages.
 type Finished(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_SERVER_HELLO_DONE,
-					STATE_COMM_ENCRYPTED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_COMM_ENCRYPTED, rec.is_orig, false) ||
-		$context.connection.lost_track();
 };
 
 type SessionTicketHandshake(rec: SSLRecord) = record {
@@ -499,10 +366,8 @@ type SessionTicketHandshake(rec: SSLRecord) = record {
 # V3 Handshake Protocol (7.)
 ######################################################################
 
-type UnknownHandshake(hs: Handshake, is_orig: bool) =  record {
+type UnknownHandshake(hs: Handshake, is_orig: bool) = record {
 	data : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool = $context.connection.lost_track();
 };
 
 type Handshake(rec: SSLRecord) = record {
@@ -532,33 +397,12 @@ type Handshake(rec: SSLRecord) = record {
 # Fragmentation (6.2.1.)
 ######################################################################
 
-type UnknownRecord(rec: SSLRecord) =  record {
+type UnknownRecord(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool = $context.connection.lost_track();
 };
 
 type CiphertextRecord(rec: SSLRecord) = record {
 	cont : bytestring &restofdata &transient;
-} &let {
-	state_changed : bool =
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_CLIENT_FINISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_FINISHED,
-					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_ABBREV_SERVER_ENCRYPTED,
-					STATE_ABBREV_SERVER_FINISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CLIENT_ENCRYPTED,
-					STATE_CLIENT_FINISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_COMM_ENCRYPTED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, false) ||
-		$context.connection.transition(STATE_CONN_ESTABLISHED,
-					STATE_CONN_ESTABLISHED, rec.is_orig, true) ||
-		$context.connection.lost_track();
 };
 
 
@@ -578,22 +422,22 @@ type SSLPDU(is_orig: bool) = record {
 refine connection SSL_Conn += {
 
 	%member{
-		int state_;
+		int client_state_;
+		int server_state_;
 		int old_state_;
 		bool hello_requested_;
 	%}
 
 	%init{
-		state_ = STATE_INITIAL;
-		old_state_ = STATE_INITIAL;
-		hello_requested_ = false;
+		server_state_ = STATE_CLEAR;
+		client_state_ = STATE_CLEAR;
 	%}
 
 	function determine_ssl_version(head0 : uint8, head1 : uint8,
 					head2 : uint8) : int
 		%{
 		if ( head0 >= 20 && head0 <= 23 &&
-		     head1 == 0x03 && head2 <= 0x03 )
+				 head1 == 0x03 && head2 <= 0x03 )
 			// This is most probably SSL version 3.
 			return (head1 << 8) | head2;
 
@@ -606,39 +450,22 @@ refine connection SSL_Conn += {
 			return UNKNOWN_VERSION;
 		%}
 
-	function state() : int %{ return state_; %}
-	function old_state() : int %{ return old_state_; %}
+	function client_state() : int %{ return client_state_; %}
+	function server_state() : int %{ return client_state_; %}
+	function state(is_orig: bool) : int
+	%{
+	if ( is_orig )
+		return client_state_;
+	else
+		return server_state_;
+	%}
 
-	function transition(olds : AnalyzerState, news : AnalyzerState,
-				current_record_is_orig : bool, is_orig : bool) : bool
+	function startEncryption(is_orig: bool) : bool
 		%{
-		if ( (olds != STATE_ANY && olds != state_) ||
-		     current_record_is_orig != is_orig )
-			return false;
-
-		old_state_ = state_;
-		state_ = news;
-
-		//printf("transitioning from %s to %s\n", state_label(old_state()).c_str(), state_label(state()).c_str());
+		if ( is_orig )
+			client_state_ = STATE_ENCRYPTED;
+		else
+			server_state_ = STATE_ENCRYPTED;
 		return true;
 		%}
-
-	function lost_track() : bool
-		%{
-		state_ = STATE_TRACK_LOST;
-		return false;
-		%}
-
-	function hello_requested() : bool
-		%{
-		bool ret = hello_requested_;
-		hello_requested_ = false;
-		return ret;
-		%}
-
-	function set_hello_requested(val : bool) : bool
-		%{
-		hello_requested_ = val;
-		return val;
-		%}
 };

From db80947b5f285a49d8bf8c60f816aad9ab4b0b98 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 14 Apr 2014 15:58:37 -0400
Subject: [PATCH 167/220] Updated snmp script.  Feedback would be welcome!

---
 scripts/base/protocols/snmp/main.bro | 157 ++++++++++++++++++++++++++-
 1 file changed, 156 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro
index a2fbb23713..1c92e73ce0 100644
--- a/scripts/base/protocols/snmp/main.bro
+++ b/scripts/base/protocols/snmp/main.bro
@@ -3,13 +3,168 @@
 module SNMP;
 
 export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		ts: time &log;
+		uid: string &log;
+		id: conn_id &log;
+		duration: interval &log &default=0secs;
+
+		version: string &log;
+		community: string &log &optional;
+
+		get_requests:      count &log &default=0;
+		get_bulk_requests: count &log &default=0;
+		get_responses:     count &log &default=0;
+
+		set_requests: count &log &default=0;
+
+		display_string: string &log &optional;
+		up_since: time &log &optional;
+	};
+
+	redef record connection += {
+		snmp: SNMP::Info &optional;
+	};
+
+	global log_snmp: event(rec: Info);
 }
 
 const ports = { 161/udp, 162/udp };
-
 redef likely_server_ports += { ports };
 
+const version_map = {
+	[0] = "1",
+	[1] = "2c",
+	[3] = "3",
+};
+
 event bro_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
+	Log::create_stream(SNMP::LOG, [$columns=SNMP::Info, $ev=log_snmp]);
+	}
+
+function init_state(c: connection, h: SNMP::Header): Info
+	{
+	if ( ! c?$snmp )
+		{
+		c$snmp = Info($ts=network_time(), 
+		              $uid=c$uid, $id=c$id,
+		              $version=version_map[h$version]);
+		}
+
+	local s = c$snmp;
+	if ( ! s?$community )
+		{
+		if ( h?$v1 )
+			s$community = h$v1$community;
+		if ( h?$v2 )
+			s$community = h$v2$community;
+		}
+
+	s$duration = network_time() - s$ts;
+	return s;
+	}
+
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$snmp )
+		Log::write(LOG, c$snmp);
+	}
+
+event snmp_get_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_requests;
+		}
+	}
+
+event snmp_get_bulk_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_bulk_requests;
+		}
+	}
+
+event snmp_get_next_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$get_requests;
+		}
+	}
+
+event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+
+	for ( i in pdu$bindings )
+		{
+		++s$get_responses;
+
+		local binding = pdu$bindings[i];
+		if ( binding$oid == "1.3.6.1.2.1.1.1.0" && binding$value?$octets )
+			c$snmp$display_string = binding$value$octets;
+		else if ( binding$oid == "1.3.6.1.2.1.1.3.0" && binding$value?$unsigned )
+			{
+			local up_seconds = binding$value$unsigned / 100.0;
+			s$up_since = network_time() - double_to_interval(up_seconds);
+			}
+		}
+	}
+
+event snmp_set_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	local s = init_state(c, header);
+	for ( i in pdu$bindings )
+		{
+		++s$set_requests;
+		}
+	}
+
+event snmp_trap(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_inform_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_trapV2(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_report(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_scoped_pdu(c: connection, is_orig: bool, header: SNMP::Header, tag: count) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_encrypted_pdu(c: connection, is_orig: bool, header: SNMP::Header) &priority=5
+	{
+	init_state(c, header);
+	}
+
+event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
+	{
 	}

From 13d8908a8db011b57f279801ca32f8c387fd8112 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 14 Apr 2014 15:57:51 -0500
Subject: [PATCH 168/220] Fix a memory leak in ASCII log writer.

---
 src/logging/writers/Ascii.cc                  |  2 +
 .../btest/core/leaks/ascii-log-rotation.bro   | 75 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 testing/btest/core/leaks/ascii-log-rotation.bro

diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index b926a6c55b..fc9567e9b7 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -175,6 +175,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			return false;
 			}
 
+		delete formatter;
 		formatter = new formatter::JSON(this, tf);
 		// Using JSON implicitly turns off the header meta fields.
 		include_meta = false;
@@ -186,6 +187,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		desc.EnableEscaping();
 		desc.AddEscapeSequence(separator);
 		formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
+		delete formatter;
 		formatter = new formatter::Ascii(this, sep_info);
 		}
 
diff --git a/testing/btest/core/leaks/ascii-log-rotation.bro b/testing/btest/core/leaks/ascii-log-rotation.bro
new file mode 100644
index 0000000000..a84f80ea90
--- /dev/null
+++ b/testing/btest/core/leaks/ascii-log-rotation.bro
@@ -0,0 +1,75 @@
+# Needs perftools support.
+#
+# @TEST-SERIALIZE: comm
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: btest-bg-run receiver HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../receiver.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run sender HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../sender.bro
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-wait 60
+
+@TEST-START-FILE sender.bro
+
+@load base/frameworks/communication
+@load base/protocols/dns
+
+redef Communication::nodes += {
+    ["foo"] = [$host = 127.0.0.1, $connect=T]
+};
+
+global write_count: count = 0;
+
+event do_write()
+	{
+	print "do_write";
+	local cid: conn_id = conn_id($orig_h=1.2.3.4,$orig_p=1/tcp,
+	                             $resp_h=5.6.7.8,$resp_p=2/tcp);
+	local dns_info_dummy = DNS::Info($ts=network_time(), $uid="FAKE",
+	                                 $id=cid, $proto=tcp);
+	Log::write(DNS::LOG, dns_info_dummy);
+	schedule .1sec { do_write() };
+	++write_count;
+
+	if ( write_count == 200 )
+		terminate();
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print "remote_connection_handshake_done", p;
+	schedule .1sec { do_write() };
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	print "remote_connection_closed", p;
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE receiver.bro
+
+@load frameworks/communication/listen
+@load base/protocols/dns
+
+redef Communication::nodes += {
+	["foo"] = [$host = 127.0.0.1, $connect=F, $request_logs=T]
+};
+
+redef Log::default_rotation_interval = 2sec;
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	print "remote_connection_handshake_done", p;
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	print "remote_connection_closed", p;
+	terminate();
+	}
+
+@TEST-END-FILE

From cb4eaf762c967aaede75a5da8ace06eca508f82e Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Tue, 15 Apr 2014 12:36:57 +0200
Subject: [PATCH 169/220] Fix bug when clearing Bloom filter contents.

This patch fixes a bug that occurred when calling the BiF bloomfilter_clear,
which used to not only clear the underlying bit vector but also set its size to
zero. As a result, subsequent element access or computations using the bit
vector size caused erroneous behavior.

Reported by @colonelxc.
---
 src/probabilistic/BloomFilter.cc   | 4 ++--
 src/probabilistic/CounterVector.cc | 4 ++--
 src/probabilistic/CounterVector.h  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/probabilistic/BloomFilter.cc b/src/probabilistic/BloomFilter.cc
index f6e4017626..ef671268b9 100644
--- a/src/probabilistic/BloomFilter.cc
+++ b/src/probabilistic/BloomFilter.cc
@@ -72,7 +72,7 @@ bool BasicBloomFilter::Empty() const
 
 void BasicBloomFilter::Clear()
 	{
-	bits->Clear();
+	bits->Reset();
 	}
 
 bool BasicBloomFilter::Merge(const BloomFilter* other)
@@ -190,7 +190,7 @@ bool CountingBloomFilter::Empty() const
 
 void CountingBloomFilter::Clear()
 	{
-	cells->Clear();
+	cells->Reset();
 	}
 
 bool CountingBloomFilter::Merge(const BloomFilter* other)
diff --git a/src/probabilistic/CounterVector.cc b/src/probabilistic/CounterVector.cc
index 317a28d851..8608015422 100644
--- a/src/probabilistic/CounterVector.cc
+++ b/src/probabilistic/CounterVector.cc
@@ -75,9 +75,9 @@ bool CounterVector::AllZero() const
 	return bits->AllZero();
 	}
 
-void CounterVector::Clear()
+void CounterVector::Reset()
 	{
-	bits->Clear();
+	bits->Reset();
 	}
 
 CounterVector::count_type CounterVector::Count(size_type cell) const
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index d3efd1aa31..247a646eb1 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -86,7 +86,7 @@ public:
 	/**
 	 * Sets all counters to 0.
 	 */
-	void Clear();
+	void Reset();
 
 	/**
 	 * Retrieves the number of cells in the storage.

From 2dbca1ccd93da3b949e90f76a236060d0b04bdae Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:07:21 -0400
Subject: [PATCH 170/220] Add Intel::ADDR lookup to host field

IP addresses are often seen in the HTTP host field; this change checks if the value in the host field is a valid IP address and processes the Intel::seen event to check for an Intel::ADDR indicator.
---
 .../frameworks/intel/seen/http-headers.bro     | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index 2a74548023..b9393c93a6 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -8,12 +8,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		{
 		switch ( name ) 
 			{
-			case "HOST": 
-			Intel::seen([$indicator=value,
-			             $indicator_type=Intel::DOMAIN,
-			             $conn=c,
-			             $where=HTTP::IN_HOST_HEADER]);
-			break;
+                        case "HOST":
+                                if (  is_valid_ip(value) )
+                                        Intel::seen([$host=to_addr(value),
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                                else
+                                        Intel::seen([$indicator=value,
+                                                     $indicator_type=Intel::DOMAIN,
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                        break;
+
 
 			case "REFERER":
 			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),

From 85bbc391949240e80780a586f2d5957cff5eb900 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:10:38 -0400
Subject: [PATCH 171/220] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index b9393c93a6..b736946bfa 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -9,7 +9,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		switch ( name ) 
 			{
                         case "HOST":
-                                if (  is_valid_ip(value) )
+                                if ( is_valid_ip(value) )
                                         Intel::seen([$host=to_addr(value),
                                                      $conn=c,
                                                      $where=HTTP::IN_HOST_HEADER]);

From 9083b03bd6e26d82b0a701919004cf1a62c5e9e3 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:12:09 -0400
Subject: [PATCH 172/220] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index b736946bfa..c2e2160f57 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -11,6 +11,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
                         case "HOST":
                                 if ( is_valid_ip(value) )
                                         Intel::seen([$host=to_addr(value),
+                                        	     $indicator_type=Intel::ADDR,
                                                      $conn=c,
                                                      $where=HTTP::IN_HOST_HEADER]);
                                 else

From b43c2c347b1761cfeb9dd433c574d78089392df7 Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:15:57 -0400
Subject: [PATCH 173/220] Update http-headers.bro

---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index c2e2160f57..3746ec9def 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -21,7 +21,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
                                                      $where=HTTP::IN_HOST_HEADER]);
                         break;
 
-
 			case "REFERER":
 			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
 			             $indicator_type=Intel::URL,

From 2a5b209f6d23689ef08fa3aa735e3ddb291c2a57 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 15 Apr 2014 12:50:10 -0500
Subject: [PATCH 174/220] Refactor initialization of ASCII log writer options.

---
 src/logging/writers/Ascii.cc | 203 ++++++++++++++++++++---------------
 src/logging/writers/Ascii.h  |   5 +
 2 files changed, 122 insertions(+), 86 deletions(-)

diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index fc9567e9b7..43ffe47308 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -24,43 +24,13 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	tsv = false;
 	use_json = false;
 	formatter = 0;
+
+	InitConfigOptions();
+	init_options = InitFilterOptions();
 	}
 
-Ascii::~Ascii()
+void Ascii::InitConfigOptions()
 	{
-	if ( ! ascii_done )
-		{
-		fprintf(stderr, "internal error: finish missing\n");
-		abort();
-		}
-
-	delete formatter;
-	}
-
-bool Ascii::WriteHeaderField(const string& key, const string& val)
-	{
-	string str = meta_prefix + key + separator + val + "\n";
-
-	return safe_write(fd, str.c_str(), str.length());
-	}
-
-void Ascii::CloseFile(double t)
-	{
-	if ( ! fd )
-		return;
-
-	if ( include_meta && ! tsv )
-		WriteHeaderField("close", Timestamp(0));
-
-	safe_close(fd);
-	fd = 0;
-	}
-
-bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
-	{
-	assert(! fd);
-
-	// Set some default values.
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
@@ -96,9 +66,15 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			(const char*) tsfmt.Bytes(),
 			tsfmt.Len()
 			);
+	}
+
+bool Ascii::InitFilterOptions()
+	{
+	const WriterInfo& info = Info();
 
 	// Set per-filter configuration options.
-	for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
+	for ( WriterInfo::config_map::const_iterator i = info.config.begin();
+	      i != info.config.end(); ++i )
 		{
 		if ( strcmp(i->first, "tsv") == 0 )
 			{
@@ -158,6 +134,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			json_timestamps.assign(i->second);
 		}
 
+	if ( ! InitFormatter() )
+		return false;
+
+	return true;
+	}
+
+bool Ascii::InitFormatter()
+	{
+	delete formatter;
+	formatter = 0;
+
 	if ( use_json )
 		{
 		formatter::JSON::TimeFormat tf = formatter::JSON::TS_EPOCH;
@@ -175,22 +162,59 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			return false;
 			}
 
-		delete formatter;
 		formatter = new formatter::JSON(this, tf);
 		// Using JSON implicitly turns off the header meta fields.
 		include_meta = false;
 		}
-
 	else
 		{
 		// Use the default "Bro logs" format.
 		desc.EnableEscaping();
 		desc.AddEscapeSequence(separator);
 		formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
-		delete formatter;
 		formatter = new formatter::Ascii(this, sep_info);
 		}
 
+	return true;
+	}
+
+Ascii::~Ascii()
+	{
+	if ( ! ascii_done )
+		{
+		fprintf(stderr, "internal error: finish missing\n");
+		abort();
+		}
+
+	delete formatter;
+	}
+
+bool Ascii::WriteHeaderField(const string& key, const string& val)
+	{
+	string str = meta_prefix + key + separator + val + "\n";
+
+	return safe_write(fd, str.c_str(), str.length());
+	}
+
+void Ascii::CloseFile(double t)
+	{
+	if ( ! fd )
+		return;
+
+	if ( include_meta && ! tsv )
+		WriteHeaderField("close", Timestamp(0));
+
+	safe_close(fd);
+	fd = 0;
+	}
+
+bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
+	{
+	assert(! fd);
+
+	if ( ! init_options )
+		return false;
+
 	string path = info.path;
 
 	if ( output_to_stdout )
@@ -208,58 +232,65 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		return false;
 		}
 
-	if ( include_meta )
+	if ( ! WriteHeader(path) )
 		{
-		string names;
-		string types;
-
-		for ( int i = 0; i < num_fields; ++i )
-			{
-			if ( i > 0 )
-				{
-				names += separator;
-				types += separator;
-				}
-
-			names += string(fields[i]->name);
-			types += fields[i]->TypeName().c_str();
-			}
-
-		if ( tsv )
-			{
-			// A single TSV-style line is all we need.
-			string str = names + "\n";
-			if ( ! safe_write(fd, str.c_str(), str.length()) )
-				goto write_error;
-
-			return true;
-			}
-
-		string str = meta_prefix
-			+ "separator " // Always use space as separator here.
-			+ get_escaped_string(separator, false)
-			+ "\n";
-
-		if ( ! safe_write(fd, str.c_str(), str.length()) )
-			goto write_error;
-
-		if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) &&
-			WriteHeaderField("empty_field", get_escaped_string(empty_field, false)) &&
-			WriteHeaderField("unset_field", get_escaped_string(unset_field, false)) &&
-			WriteHeaderField("path", get_escaped_string(path, false)) &&
-			WriteHeaderField("open", Timestamp(0))) )
-			goto write_error;
-
-		if ( ! (WriteHeaderField("fields", names)
-			&& WriteHeaderField("types", types)) )
-			goto write_error;
+		Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno)));
+		return false;
 		}
 
 	return true;
+	}
 
-write_error:
-	Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno)));
-	return false;
+bool Ascii::WriteHeader(const string& path)
+	{
+	if ( ! include_meta )
+		return true;
+
+	string names;
+	string types;
+
+	for ( int i = 0; i < NumFields(); ++i )
+		{
+		if ( i > 0 )
+			{
+			names += separator;
+			types += separator;
+			}
+
+		names += string(Fields()[i]->name);
+		types += Fields()[i]->TypeName().c_str();
+		}
+
+	if ( tsv )
+		{
+		// A single TSV-style line is all we need.
+		string str = names + "\n";
+		if ( ! safe_write(fd, str.c_str(), str.length()) )
+			return false;
+
+		return true;
+		}
+
+	string str = meta_prefix
+		+ "separator " // Always use space as separator here.
+		+ get_escaped_string(separator, false)
+		+ "\n";
+
+	if ( ! safe_write(fd, str.c_str(), str.length()) )
+		return false;
+
+	if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) &&
+	        WriteHeaderField("empty_field", get_escaped_string(empty_field, false)) &&
+	        WriteHeaderField("unset_field", get_escaped_string(unset_field, false)) &&
+	        WriteHeaderField("path", get_escaped_string(path, false)) &&
+	        WriteHeaderField("open", Timestamp(0))) )
+		return false;
+
+	if ( ! (WriteHeaderField("fields", names) &&
+	        WriteHeaderField("types", types)) )
+		return false;
+
+	return true;
 	}
 
 bool Ascii::DoFlush(double network_time)
@@ -296,7 +327,7 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 	if ( ! formatter->Describe(&desc, num_fields, fields, vals) )
 		return false;
 
-	desc.AddRaw("\n");
+	desc.AddRaw("\n", 1);
 
 	const char* bytes = (const char*)desc.Bytes();
 	int len = desc.Len();
diff --git a/src/logging/writers/Ascii.h b/src/logging/writers/Ascii.h
index 15afdef62f..54402cc141 100644
--- a/src/logging/writers/Ascii.h
+++ b/src/logging/writers/Ascii.h
@@ -34,9 +34,13 @@ protected:
 
 private:
 	bool IsSpecial(string path) 	{ return path.find("/dev/") == 0; }
+	bool WriteHeader(const string& path);
 	bool WriteHeaderField(const string& key, const string& value);
 	void CloseFile(double t);
 	string Timestamp(double t); // Uses current time if t is zero.
+	void InitConfigOptions();
+	bool InitFilterOptions();
+	bool InitFormatter();
 
 	int fd;
 	string fname;
@@ -58,6 +62,7 @@ private:
 	string json_timestamps;
 
 	threading::formatter::Formatter* formatter;
+	bool init_options;
 };
 
 }

From c9b40f1ca7bdbf9c0cb799477e695b93fcf3ba04 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 15 Apr 2014 16:36:47 -0500
Subject: [PATCH 175/220] Change how input/logging threads set their name.

Setting the thread name on every heartbeat uses a mild amount of
cycles and there's not much benefit to doing it there to get the
additional info regarding the number of processed messages since thread
names usually get truncated to 16 characters and omit that part anyway.
---
 src/input/ReaderBackend.cc   | 2 ++
 src/logging/WriterBackend.cc | 1 +
 src/threading/MsgThread.cc   | 9 ---------
 src/threading/MsgThread.h    | 2 +-
 4 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/input/ReaderBackend.cc b/src/input/ReaderBackend.cc
index abf369dd54..4c7540609c 100644
--- a/src/input/ReaderBackend.cc
+++ b/src/input/ReaderBackend.cc
@@ -215,6 +215,8 @@ bool ReaderBackend::Init(const int arg_num_fields,
 	if ( Failed() )
 		return true;
 
+	SetOSName(Fmt("bro: %s", Name()));
+
 	num_fields = arg_num_fields;
 	fields = arg_fields;
 
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 5e4230c8e3..35d3137c76 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -180,6 +180,7 @@ void WriterBackend::DisableFrontend()
 
 bool WriterBackend::Init(int arg_num_fields, const Field* const* arg_fields)
 	{
+	SetOSName(Fmt("bro: %s", Name()));
 	num_fields = arg_num_fields;
 	fields = arg_fields;
 
diff --git a/src/threading/MsgThread.cc b/src/threading/MsgThread.cc
index c713f65986..cf1facbba5 100644
--- a/src/threading/MsgThread.cc
+++ b/src/threading/MsgThread.cc
@@ -254,15 +254,6 @@ void MsgThread::Heartbeat()
 	SendIn(new HeartbeatMessage(this, network_time, current_time()));
 	}
 
-void MsgThread::HeartbeatInChild()
-	{
-	string n = Fmt("bro: %s (%" PRIu64 "/%" PRIu64 ")", Name(),
-		cnt_sent_in - queue_in.Size(),
-		cnt_sent_out - queue_out.Size());
-
-	SetOSName(n.c_str());
-	}
-
 void MsgThread::Finished()
 	{
 	child_finished = true;
diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h
index c5ba5b676f..e0a6f6dc01 100644
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@@ -199,7 +199,7 @@ protected:
 
 	/** Internal heartbeat processing. Called from child.
 	 */
-	void HeartbeatInChild();
+	void HeartbeatInChild() {}
 
 	/** Returns true if a child command has reported a failure. In that case, we'll
 	  * be in the process of killing this thread and no further activity

From ef41cc7189cf199d8d229aa47acd58b37e6d0eb4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 16 Apr 2014 10:48:22 -0700
Subject: [PATCH 176/220] Nicer notices for heartbleed.

Duplicates are now excluded and the notice texts contain a bit more useful information.
---
 scripts/policy/protocols/ssl/heartbleed.bro | 40 +++++++++++++--------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 0049c4c51f..dc38c66f73 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -15,11 +15,9 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-		## Indicates that a host performing a heartbleed attack was successful.
+		## Indicates that a host performing a heartbleed attack was probably successful.
 		SSL_Heartbeat_Attack_Success,
-		## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
-		SSL_Heartbeat_Encrypted_Attack_Success,
-		## Indicates we saw heartbeet requests with odd length. Probably an attack.
+		## Indicates we saw heartbeat requests with odd length. Probably an attack.
 		SSL_Heartbeat_Odd_Length,
 		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
 		SSL_Heartbeat_Many_Requests
@@ -37,7 +35,8 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 			c$ssl$heartbleed_detected = T;
 			NOTICE([$note=SSL_Heartbeat_Attack,
 				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
-				$conn=c
+				$conn=c,
+				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
 		}
@@ -45,8 +44,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
 		{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg="An TLS heartbleed attack was detected and probably exploited",
-				$conn=c
+				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length),
+				$conn=c,
+				$identifier=c$uid
 				]);
 		}
 	}
@@ -60,16 +60,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+				$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
-				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats)
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
+				]);
+
+	if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
+			NOTICE([$note=SSL_Heartbeat_Many_Requests,
+				$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$conn=c,
+				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
+				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
 				]);
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
-				$msg="Heartbeat message smaller than minimum length. Probable attack.",
+				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length),
 				$conn=c,
-				$n=length
+				$n=length,
+				$identifier=cat(c$uid, length)
 				]);
 
 	if ( is_orig )
@@ -86,9 +96,11 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		{
 		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
-			NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
-				$msg="An Encrypted TLS heartbleed attack was probably detected!",
-				$conn=c
+			NOTICE([$note=SSL_Heartbeat_Attack_Success,
+				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
+					c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size),
+				$conn=c,
+				$identifier=c$uid # only throw once per connection
 				]);
 			}
 		else if ( ! c$ssl?$last_originator_heartbeat_request_size )

From e8a5ea88446d3e648349b54e514b33651be20aa7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 18 Apr 2014 13:19:50 -0500
Subject: [PATCH 177/220] Refactor various hex escaping code.

---
 src/Desc.cc                       | 68 +++++++++++++++++--------------
 src/Desc.h                        | 26 ++++++++----
 src/logging/writers/Ascii.cc      |  6 +--
 src/threading/formatters/Ascii.cc |  6 +--
 src/threading/formatters/JSON.cc  |  7 ++--
 src/util.cc                       | 30 +++++++++-----
 src/util.h                        | 19 ++++++++-
 7 files changed, 102 insertions(+), 60 deletions(-)

diff --git a/src/Desc.cc b/src/Desc.cc
index 62c6130f40..f636a028b5 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -216,18 +216,32 @@ void ODesc::Indent()
 		}
 	}
 
-static const char hex_chars[] = "0123456789abcdef";
-
-static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned int n)
+static bool starts_with(const char* str1, const char* str2, size_t len)
 	{
-	if ( d->IsBinary() )
+	for ( size_t i = 0; i < len; ++i )
+		if ( str1[i] != str2[i] )
+			return false;
+
+	return true;
+	}
+
+size_t ODesc::StartsWithEscapeSequence(const char* start, const char* end)
+	{
+	if ( escape_sequences.empty() )
 		return 0;
 
-	while ( n-- )
+	escape_set::const_iterator it;
+
+	for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
 		{
-		if ( ! isprint(*bytes) )
-			return bytes;
-		++bytes;
+		const string& esc_str = *it;
+		size_t esc_len = esc_str.length();
+
+		if ( start + esc_len > end )
+			continue;
+
+		if ( starts_with(start, esc_str.c_str(), esc_len) )
+			return esc_len;
 		}
 
 	return 0;
@@ -235,21 +249,23 @@ static const char* find_first_unprintable(ODesc* d, const char* bytes, unsigned
 
 pair<const char*, size_t> ODesc::FirstEscapeLoc(const char* bytes, size_t n)
 	{
-	pair<const char*, size_t> p(find_first_unprintable(this, bytes, n), 1);
+	typedef pair<const char*, size_t> escape_pos;
 
-	string str(bytes, n);
-	list<string>::const_iterator it;
-	for ( it = escape_sequences.begin(); it != escape_sequences.end(); ++it )
+	if ( IsBinary() )
+		return escape_pos(0, 0);
+
+	for ( size_t i = 0; i < n; ++i )
 		{
-		size_t pos = str.find(*it);
-		if ( pos != string::npos && (p.first == 0 || bytes + pos < p.first) )
-			{
-			p.first = bytes + pos;
-			p.second = it->size();
-			}
+		if ( ! isprint(bytes[i]) )
+			return escape_pos(bytes + i, 1);
+
+		size_t len = StartsWithEscapeSequence(bytes + i, bytes + n);
+
+		if ( len )
+			return escape_pos(bytes + i, len);
 		}
 
-	return p;
+	return escape_pos(0, 0);
 	}
 
 void ODesc::AddBytes(const void* bytes, unsigned int n)
@@ -266,21 +282,11 @@ void ODesc::AddBytes(const void* bytes, unsigned int n)
 	while ( s < e )
 		{
 		pair<const char*, size_t> p = FirstEscapeLoc(s, e - s);
+
 		if ( p.first )
 			{
 			AddBytesRaw(s, p.first - s);
-			if ( p.second == 1 )
-				{
-				char hex[6] = "\\x00";
-				hex[2] = hex_chars[((*p.first) & 0xf0) >> 4];
-				hex[3] = hex_chars[(*p.first) & 0x0f];
-				AddBytesRaw(hex, 4);
-				}
-			else
-				{
-				string esc_str = get_escaped_string(string(p.first, p.second), true);
-				AddBytesRaw(esc_str.c_str(), esc_str.size());
-				}
+			get_escaped_string(this, p.first, p.second, true);
 			s = p.first + p.second;
 			}
 		else
diff --git a/src/Desc.h b/src/Desc.h
index 27dc326ff0..b7df7d75f7 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -4,7 +4,7 @@
 #define descriptor_h
 
 #include <stdio.h>
-#include <list>
+#include <set>
 #include <utility>
 
 #include "BroString.h"
@@ -54,16 +54,16 @@ public:
 	void SetFlush(int arg_do_flush)	{ do_flush = arg_do_flush; }
 
 	void EnableEscaping();
-	void AddEscapeSequence(const char* s) { escape_sequences.push_back(s); }
+	void AddEscapeSequence(const char* s) { escape_sequences.insert(s); }
 	void AddEscapeSequence(const char* s, size_t n)
-	    { escape_sequences.push_back(string(s, n)); }
+	    { escape_sequences.insert(string(s, n)); }
 	void AddEscapeSequence(const string & s)
-	    { escape_sequences.push_back(s); }
-	void RemoveEscapeSequence(const char* s) { escape_sequences.remove(s); }
+	    { escape_sequences.insert(s); }
+	void RemoveEscapeSequence(const char* s) { escape_sequences.erase(s); }
 	void RemoveEscapeSequence(const char* s, size_t n)
-	    { escape_sequences.remove(string(s, n)); }
+	    { escape_sequences.erase(string(s, n)); }
 	void RemoveEscapeSequence(const string & s)
-	    { escape_sequences.remove(s); }
+	    { escape_sequences.erase(s); }
 
 	void PushIndent();
 	void PopIndent();
@@ -163,6 +163,15 @@ protected:
 	 */
 	pair<const char*, size_t> FirstEscapeLoc(const char* bytes, size_t n);
 
+	/**
+	 * @param start start of string to check for starting with an espace
+	 *              sequence.
+	 * @param end one byte past the last character in the string.
+	 * @return The number of bytes in the escape sequence that the string
+	 *         starts with.
+	 */
+	size_t StartsWithEscapeSequence(const char* start, const char* end);
+
 	desc_type type;
 	desc_style style;
 
@@ -171,7 +180,8 @@ protected:
 	unsigned int size;	// size of buffer in bytes
 
 	bool escape;	// escape unprintable characters in output?
-	list<string> escape_sequences; // additional sequences of chars to escape
+	typedef set<string> escape_set;
+	escape_set escape_sequences; // additional sequences of chars to escape
 
 	BroFile* f;	// or the file we're using.
 
diff --git a/src/logging/writers/Ascii.cc b/src/logging/writers/Ascii.cc
index 43ffe47308..fe79089b04 100644
--- a/src/logging/writers/Ascii.cc
+++ b/src/logging/writers/Ascii.cc
@@ -335,10 +335,10 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 	if ( strncmp(bytes, meta_prefix.data(), meta_prefix.size()) == 0 )
 		{
 		// It would so escape the first character.
-		char buf[16];
-		snprintf(buf, sizeof(buf), "\\x%02x", bytes[0]);
+		char hex[4] = {'\\', 'x', '0', '0'};
+		bytetohex(bytes[0], hex + 2);
 
-		if ( ! safe_write(fd, buf, strlen(buf)) )
+		if ( ! safe_write(fd, hex, 4) )
 			goto write_error;
 
 		++bytes;
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 3120549f13..6c114ff3fd 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -122,10 +122,8 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 			// place-holder we use for unset optional fields. We
 			// escape the first character so that the output
 			// won't be ambigious.
-			static const char hex_chars[] = "0123456789abcdef";
-			char hex[6] = "\\x00";
-			hex[2] = hex_chars[((*data) & 0xf0) >> 4];
-			hex[3] = hex_chars[(*data) & 0x0f];
+			char hex[4] = {'\\', 'x', '0', '0'};
+			bytetohex(*data, hex + 2);
 			desc->AddRaw(hex, 4);
 
 			++data;
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 17712e8d53..472023e0f8 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -160,10 +160,11 @@ bool JSON::Describe(ODesc* desc, Value* val, const string& name) const
 				// 2byte Unicode escape special characters.
 				if ( c < 32 || c > 126 || c == '\n' || c == '"' || c == '\'' || c == '\\' || c == '&' )
 					{
-					static const char hex_chars[] = "0123456789abcdef";
 					desc->AddRaw("\\u00", 4);
-					desc->AddRaw(&hex_chars[(c & 0xf0) >> 4], 1);
-					desc->AddRaw(&hex_chars[c & 0x0f], 1);
+					char hex[2] = {'0', '0'};
+					bytetohex(c, hex);
+					desc->AddRaw(hex, 1);
+					desc->AddRaw(hex + 1, 1);
 					}
 				else
 					desc->AddRaw(&c, 1);
diff --git a/src/util.cc b/src/util.cc
index 434783a340..6190067aa6 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -120,31 +120,41 @@ std::string get_unescaped_string(const std::string& arg_str)
  * Takes a string, escapes characters into equivalent hex codes (\x##), and
  * returns a string containing all escaped values.
  *
+ * @param d an ODesc object to store the escaped hex version of the string,
+ *          if null one will be allocated and returned from the function.
  * @param str string to escape
  * @param escape_all If true, all characters are escaped. If false, only
  * characters are escaped that are either whitespace or not printable in
  * ASCII.
- * @return A std::string containing a list of escaped hex values of the form
- * \x## */
-std::string get_escaped_string(const std::string& str, bool escape_all)
+ * @return A ODesc object containing a list of escaped hex values of the form
+ *         \x##, which may be newly allocated if \a d was a null pointer. */
+ODesc* get_escaped_string(ODesc* d, const char* str, size_t len,
+                          bool escape_all)
 	{
-	char tbuf[16];
-	string esc = "";
+	if ( ! d )
+		d = new ODesc();
 
-	for ( size_t i = 0; i < str.length(); ++i )
+	for ( size_t i = 0; i < len; ++i )
 		{
 		char c = str[i];
 
 		if ( escape_all || isspace(c) || ! isascii(c) || ! isprint(c) )
 			{
-			snprintf(tbuf, sizeof(tbuf), "\\x%02x", str[i]);
-			esc += tbuf;
+			char hex[4] = {'\\', 'x', '0', '0' };
+			bytetohex(c, hex + 2);
+			d->AddRaw(hex, 4);
 			}
 		else
-			esc += c;
+			d->AddRaw(&c, 1);
 		}
 
-	return esc;
+	return d;
+	}
+
+std::string get_escaped_string(const char* str, size_t len, bool escape_all)
+	{
+	ODesc d;
+	return get_escaped_string(&d, str, len, escape_all)->Description();
 	}
 
 char* copy_string(const char* s)
diff --git a/src/util.h b/src/util.h
index aebc8bbc43..c6b657b7a8 100644
--- a/src/util.h
+++ b/src/util.h
@@ -102,8 +102,25 @@ void delete_each(T* t)
 std::string extract_ip(const std::string& i);
 std::string extract_ip_and_len(const std::string& i, int* len);
 
+inline void bytetohex(unsigned char byte, char* hex_out)
+	{
+	static const char hex_chars[] = "0123456789abcdef";
+	hex_out[0] = hex_chars[(byte & 0xf0) >> 4];
+	hex_out[1] = hex_chars[byte & 0x0f];
+	}
+
 std::string get_unescaped_string(const std::string& str);
-std::string get_escaped_string(const std::string& str, bool escape_all);
+
+class ODesc;
+
+ODesc* get_escaped_string(ODesc* d, const char* str, size_t len,
+                          bool escape_all);
+std::string get_escaped_string(const char* str, size_t len, bool escape_all);
+
+inline std::string get_escaped_string(const std::string& str, bool escape_all)
+	{
+	return get_escaped_string(str.data(), str.length(), escape_all);
+	}
 
 std::vector<std::string>* tokenize_string(std::string input,
 					  const std::string& delim,

From bc5c02cb745189c6672b88fde48b3fff338a1c5c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 18 Apr 2014 16:35:43 -0500
Subject: [PATCH 178/220] Refactor file analysis file ID lookup.

Now using a dictionary instead of std::map as order doesn't matter and
lookup time shouldn't increase as more files are in process of being
analyzed.
---
 src/file_analysis/Manager.cc | 44 ++++++++++++++++++------------------
 src/file_analysis/Manager.h  | 14 +++++++-----
 2 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 5ff7bd7186..3f04ebfc2b 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -54,8 +54,11 @@ void Manager::Terminate()
 	{
 	vector<string> keys;
 
-	for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it )
-		keys.push_back(it->first);
+	IterCookie* it = id_map.InitForIteration();
+	HashKey* key;
+
+	while ( id_map.NextEntry(key, it) )
+		keys.push_back(static_cast<const char*>(key->Key()));
 
 	for ( size_t i = 0; i < keys.size(); ++i )
 		Timeout(keys[i], true);
@@ -249,11 +252,12 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
 	if ( IsIgnored(file_id) )
 		return 0;
 
-	File* rval = id_map[file_id];
+	File* rval = id_map.Lookup(file_id.c_str());
 
 	if ( ! rval )
 		{
-		rval = id_map[file_id] = new File(file_id, conn, tag, is_orig);
+		rval = new File(file_id, conn, tag, is_orig);
+		id_map.Insert(file_id.c_str(), rval);
 		rval->ScheduleInactivityTimer();
 
 		if ( IsIgnored(file_id) )
@@ -272,12 +276,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
 
 File* Manager::LookupFile(const string& file_id) const
 	{
-	IDMap::const_iterator it = id_map.find(file_id);
-
-	if ( it == id_map.end() )
-		return 0;
-
-	return it->second;
+	return id_map.Lookup(file_id.c_str());
 	}
 
 void Manager::Timeout(const string& file_id, bool is_terminating)
@@ -308,37 +307,38 @@ void Manager::Timeout(const string& file_id, bool is_terminating)
 
 bool Manager::IgnoreFile(const string& file_id)
 	{
-	if ( id_map.find(file_id) == id_map.end() )
+	if ( ! id_map.Lookup(file_id.c_str()) )
 		return false;
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str());
 
-	ignored.insert(file_id);
-
+	delete ignored.Insert(file_id.c_str(), new bool);
 	return true;
 	}
 
 bool Manager::RemoveFile(const string& file_id)
 	{
-	IDMap::iterator it = id_map.find(file_id);
+	HashKey key(file_id.c_str());
+	// Can't remove from the dictionary/map right away as invoking EndOfFile
+	// may cause some events to be executed which actually depend on the file
+	// still being in the dictionary/map.
+	File* f = static_cast<File*>(id_map.Lookup(&key));
 
-	if ( it == id_map.end() )
+	if ( ! f )
 		return false;
 
 	DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", file_id.c_str());
 
-	it->second->EndOfFile();
-
-	delete it->second;
-	id_map.erase(file_id);
-	ignored.erase(file_id);
-
+	f->EndOfFile();
+	delete f;
+	id_map.Remove(&key);
+	delete static_cast<bool*>(ignored.Remove(&key));
 	return true;
 	}
 
 bool Manager::IsIgnored(const string& file_id)
 	{
-	return ignored.find(file_id) != ignored.end();
+	return ignored.Lookup(file_id.c_str()) != 0;
 	}
 
 string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bb6aaab971..2137e81389 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -4,10 +4,9 @@
 #define FILE_ANALYSIS_MANAGER_H
 
 #include <string>
-#include <map>
-#include <set>
 #include <queue>
 
+#include "Dict.h"
 #include "Net.h"
 #include "Conn.h"
 #include "Val.h"
@@ -27,6 +26,9 @@
 
 namespace file_analysis {
 
+declare(PDict,bool);
+declare(PDict,File);
+
 /**
  * Main entry point for interacting with file analysis.
  */
@@ -288,8 +290,8 @@ public:
 protected:
 	friend class FileTimer;
 
-	typedef set<string> IDSet;
-	typedef map<string, File*> IDMap;
+	typedef PDict(bool) IDSet;
+	typedef PDict(File) IDMap;
 
 	/**
 	 * Create a new file to be analyzed or retrieve an existing one.
@@ -361,8 +363,8 @@ protected:
 
 private:
 
-	IDMap id_map;	/**< Map file ID to file_analysis::File records. */
-	IDSet ignored;	/**< Ignored files.  Will be finally removed on EOF. */
+	PDict(File) id_map;  /**< Map file ID to file_analysis::File records. */
+	PDict(bool) ignored; /**< Ignored files.  Will be finally removed on EOF. */
 	string current_file_id;	/**< Hash of what get_file_handle event sets. */
 	RuleFileMagicState* magic_state;	/**< File magic signature match state. */
 

From 594975c93d88d3a176fd5ab967cf2d35a883747f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Mon, 21 Apr 2014 11:23:12 -0700
Subject: [PATCH 179/220] Make SSL/TLS version detection less brittle.

This still cannot deal with v2 hellos that use the long length.
On the other hand - OpenSSL also cannot deal with these and we should
not see many sslv2 connections in any case - so... they probably
would not work in practice in any case.
---
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 13 +++-
 src/analyzer/protocol/ssl/ssl-protocol.pac | 84 +++++++++++++++-------
 2 files changed, 68 insertions(+), 29 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 997faf0436..b6422584e3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -293,6 +293,14 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_check_v2_server_hello_version(version: uint16) : bool
+		%{
+		if ( version != SSLv20 )
+			bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL server hello. Version: %d", version));
+
+		return true;
+		%}
+
 };
 
 #refine typeattr ChangeCipherSpec += &let {
@@ -337,6 +345,8 @@ refine typeattr V2ServerHello += &let {
 	proc : bool = $context.connection.proc_server_hello(rec, server_version, 0,
 				conn_id_data, 0, 0, ciphers, 0);
 
+	check_v2 : bool = $context.connection.proc_check_v2_server_hello_version(server_version);
+
 	cert : bool = $context.connection.proc_v2_certificate(rec, cert_data)
 		&requires(proc);
 };
@@ -346,8 +356,7 @@ refine typeattr Certificate += &let {
 };
 
 refine typeattr V2ClientMasterKey += &let {
-	proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind)
-		&requires(state_changed);
+	proc : bool = $context.connection.proc_v2_client_master_key(rec, cipher_kind);
 };
 
 refine typeattr UnknownHandshake += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f72f34e9cc..d32d926f65 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -36,16 +36,14 @@ type SSLRecord(is_orig: bool) = record {
 } &length = length+5, &byteorder=bigendian,
 	&let {
 	version : int =
-		$context.connection.determine_ssl_version(head0, head1, head2);
+		$context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4);
 
 	content_type : int = case version of {
-		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> head2+300;
 		default -> head0;
 	};
 
 	length : int = case version of {
-		# UNKNOWN_VERSION -> 0; assume tls on unknown version
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
 	};
@@ -277,11 +275,6 @@ type CertificateList = X509Certificate[] &until($input.length() == 0);
 type Certificate(rec: SSLRecord) = record {
 	length : uint24;
 	certificates : CertificateList &length = to_int()(length);
-} &let {
-	state_changed_client : bool =
-		$context.connection.startEncryption(true);
-	state_changed_server : bool =
-		$context.connection.startEncryption(false);
 };
 
 
@@ -345,6 +338,9 @@ type V2ClientMasterKey(rec: SSLRecord) = record {
 	key_arg_data : bytestring &length = key_arg_len &transient;
 } &length = 7 + cl_key_len + en_key_len + key_arg_len, &let {
 	cipher_kind : int = (((rec.head3 << 16) | (rec.head4 << 8)) | cipher_kind_8);
+	# encryption starts for both sides after this message.
+	state_changed_client : bool = $context.connection.startEncryption(true);
+	state_changed_server : bool = $context.connection.startEncryption(false);
 };
 
 
@@ -435,41 +431,75 @@ refine connection SSL_Conn += {
 	%member{
 		int client_state_;
 		int server_state_;
-		int old_state_;
-		bool hello_requested_;
+		int record_layer_version_;
 	%}
 
 	%init{
 		server_state_ = STATE_CLEAR;
 		client_state_ = STATE_CLEAR;
+		record_layer_version_ = UNKNOWN_VERSION;
 	%}
 
-	function determine_ssl_version(head0 : uint8, head1 : uint8,
-					head2 : uint8) : int
+	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
+					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{
-		if ( head0 >= 20 && head0 <= 23 &&
-				 head1 == 0x03 && head2 <= 0x03 )
-			// This is most probably SSL version 3.
-			return (head1 << 8) | head2;
+		if ( record_layer_version_ != UNKNOWN_VERSION )
+			return record_layer_version_;
 
-		else if ( head0 >= 128 && head2 < 5 && head2 != 3 )
-			// Not very strong evidence, but we suspect
-			// this to be SSLv2.
-			return SSLv20;
+		if ( head0 & 0x80 )
+			{
+			if ( head2 == 0x01 ) // SSLv2 client hello.
+				{
+				uint16 version = (head3<<8) | head4;
+				if ( version != SSLv20 && version != SSLv30 && version != TLSv10
+					&& version != TLSv11 && version != TLSv12 )
+					{
+					bro_analyzer()->ProtocolViolation(fmt("Invalid version in SSL client hello. Version: %d", version));
+					return UNKNOWN_VERSION;
+					}
+				else
+					return SSLv20;
+				}
 
-		else
+			else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2.
+				{
+				record_layer_version_ = SSLv20;
+				return SSLv20;
+				}
+			else // this is not SSL or TLS.
+				{
+				bro_analyzer()->ProtocolViolation(fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
+				return UNKNOWN_VERSION;
+				}
+			}
+
+		uint16 version = (head1<<8) | head2;
+		if ( version != SSLv30 && version != TLSv10
+		  && version != TLSv11 && version != TLSv12 )
+			{
+			bro_analyzer()->ProtocolViolation(fmt("Invalid version in TLS connection. Version: %d", version));
 			return UNKNOWN_VERSION;
+			}
+
+		if ( head0 >=20 && head0 <= 30 )
+			{ // ok, set record layer version, this never can be downgraded to v2
+			record_layer_version_ = version;
+			return version;
+			}
+
+		bro_analyzer()->ProtocolViolation(fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
+		return UNKNOWN_VERSION;
 		%}
 
 	function client_state() : int %{ return client_state_; %}
 	function server_state() : int %{ return client_state_; %}
 	function state(is_orig: bool) : int
-	%{
-	if ( is_orig )
-		return client_state_;
-	else
-		return server_state_;
-	%}
+		%{
+		if ( is_orig )
+			return client_state_;
+		else
+			return server_state_;
+		%}
 
 	function startEncryption(is_orig: bool) : bool
 		%{

From 8126f06ffb3402d380a80774a11f7df4b3f1b774 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 21 Apr 2014 16:43:33 -0500
Subject: [PATCH 180/220] Enforce data size limit when checking files for MIME
 matches.

The value of *bof_buffer_size* in the *fa_file* record was supposed to
always limit the amount of data used by the signature matching engine,
but some corner cases would cause matching to be performed on data
beyond that.
---
 src/file_analysis/File.cc                                 | 1 +
 .../doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1     | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index e8a7ea15ee..2772b55418 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -283,6 +283,7 @@ bool File::BufferBOF(const u_char* data, uint64 len)
 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
 	RuleMatcher::MIME_Matches matches;
+	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
 
 	if ( matches.empty() )
diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
index 3cd6a49e11..3d6b9dffad 100644
--- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
+++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-03-06-17-30-44
+      #open	2014-04-21-21-34-08
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
-      1389719059.311698	300.000000	text/html	1	4	53070
+      1389719059.311698	300.000000	text/html	1	3	47335
       1389719059.311698	300.000000	image/jpeg	1	1	186859
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	text/plain	1	12	113982
+      1389719059.311698	300.000000	text/plain	1	13	119717
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-03-06-17-30-44
+      #close	2014-04-21-21-34-08
 

From 171c6ce86bfc53bed837458d946f9cd097f4c463 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 21 Apr 2014 16:55:51 -0500
Subject: [PATCH 181/220] Refactor regex/signature AcceptingSet data structure
 and usages.

Several parts of that code would do membership checks and that's going
to be more efficient with a set instead of a list data structure.
---
 src/DFA.cc         |  28 +++-------
 src/RE.cc          |  42 +++++++--------
 src/RE.h           |  20 ++++---
 src/RuleMatcher.cc | 130 +++++++++++++++++++--------------------------
 src/RuleMatcher.h  |   3 ++
 5 files changed, 99 insertions(+), 124 deletions(-)

diff --git a/src/DFA.cc b/src/DFA.cc
index ad9521709e..dbfed71ba3 100644
--- a/src/DFA.cc
+++ b/src/DFA.cc
@@ -211,9 +211,10 @@ void DFA_State::Dump(FILE* f, DFA_Machine* m)
 
 	if ( accept )
 		{
-		for ( int i = 0; i < accept->length(); ++i )
-			fprintf(f, "%s accept #%d",
-				i > 0 ? "," : "", int((*accept)[i]));
+		AcceptingSet::const_iterator it;
+
+		for ( it = accept->begin(); it != accept->end(); ++it )
+			fprintf(f, "%s accept #%d", it == accept->begin() ? "" : ",", *it);
 		}
 
 	fprintf(f, "\n");
@@ -285,7 +286,7 @@ unsigned int DFA_State::Size()
 	{
 	return sizeof(*this)
 		+ pad_size(sizeof(DFA_State*) * num_sym)
-		+ (accept ? pad_size(sizeof(int) * accept->length()) : 0)
+		+ (accept ? pad_size(sizeof(int) * accept->size()) : 0)
 		+ (nfa_states ? pad_size(sizeof(NFA_State*) * nfa_states->length()) : 0)
 		+ (meta_ec ? meta_ec->Size() : 0)
 		+ (centry ? padded_sizeof(CacheEntry) : 0);
@@ -470,33 +471,20 @@ int DFA_Machine::StateSetToDFA_State(NFA_state_list* state_set,
 		return 0;
 
 	AcceptingSet* accept = new AcceptingSet;
+
 	for ( int i = 0; i < state_set->length(); ++i )
 		{
 		int acc = (*state_set)[i]->Accept();
 
 		if ( acc != NO_ACCEPT )
-			{
-			int j;
-			for ( j = 0; j < accept->length(); ++j )
-				if ( (*accept)[j] == acc )
-					break;
-
-			if ( j >= accept->length() )
-				// It's not already present.
-				accept->append(acc);
-			}
+			accept->insert(acc);
 		}
 
-	if ( accept->length() == 0 )
+	if ( accept->empty() )
 		{
 		delete accept;
 		accept = 0;
 		}
-	else
-		{
-		accept->sort(int_list_cmp);
-		accept->resize(0);
-		}
 
 	DFA_State* ds = new DFA_State(state_count++, ec, state_set, accept);
 	d = dfa_state_cache->Insert(ds, hash);
diff --git a/src/RE.cc b/src/RE.cc
index 87117c1c3a..4855b0e39a 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -3,6 +3,7 @@
 #include "config.h"
 
 #include <stdlib.h>
+#include <utility>
 
 #include "RE.h"
 #include "DFA.h"
@@ -266,6 +267,15 @@ void Specific_RE_Matcher::Dump(FILE* f)
 	dfa->Dump(f);
 	}
 
+inline void RE_Match_State::AddMatches(const AcceptingSet& as,
+                                       MatchPos position)
+	{
+	typedef std::pair<AcceptIdx, MatchPos> am_idx;
+
+	for ( AcceptingSet::const_iterator it = as.begin(); it != as.end(); ++it )
+		accepted_matches.insert(am_idx(*it, position));
+	}
+
 bool RE_Match_State::Match(const u_char* bv, int n,
 				bool bol, bool eol, bool clear)
 	{
@@ -283,14 +293,9 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 		current_state = dfa->StartState();
 
 		const AcceptingSet* ac = current_state->Accept();
+
 		if ( ac )
-			{
-			loop_over_list(*ac, i)
-				{
-				accepted.append((*ac)[i]);
-				match_pos.append(0);
-				}
-			}
+			AddMatches(*ac, 0);
 		}
 
 	else if ( clear )
@@ -301,7 +306,7 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 
 	current_pos = 0;
 
-	int old_matches = accepted.length();
+	size_t old_matches = accepted_matches.size();
 
 	int ec;
 	int m = bol ? n + 1 : n;
@@ -324,25 +329,17 @@ bool RE_Match_State::Match(const u_char* bv, int n,
 			break;
 			}
 
-		if ( next_state->Accept() )
-			{
-			const AcceptingSet* ac = next_state->Accept();
-			loop_over_list(*ac, i)
-				{
-				if ( ! accepted.is_member((*ac)[i]) )
-					{
-					accepted.append((*ac)[i]);
-					match_pos.append(current_pos);
-					}
-				}
-			}
+		const AcceptingSet* ac = next_state->Accept();
+
+		if ( ac )
+			AddMatches(*ac, current_pos);
 
 		++current_pos;
 
 		current_state = next_state;
 		}
 
-	return accepted.length() != old_matches;
+	return accepted_matches.size() != old_matches;
 	}
 
 int Specific_RE_Matcher::LongestMatch(const u_char* bv, int n)
@@ -399,7 +396,8 @@ unsigned int Specific_RE_Matcher::MemoryAllocation() const
 		+ equiv_class.Size() - padded_sizeof(EquivClass)
 		+ (dfa ? dfa->MemoryAllocation() : 0) // this is ref counted; consider the bytes here?
 		+ padded_sizeof(*any_ccl)
-		+ accepted->MemoryAllocation();
+		+ padded_sizeof(*accepted)
+		+ accepted->size() * padded_sizeof(AcceptingSet::key_type);
 	}
 
 RE_Matcher::RE_Matcher()
diff --git a/src/RE.h b/src/RE.h
index a2fc709c88..7437dbb8b8 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -9,6 +9,9 @@
 #include "CCL.h"
 #include "EquivClass.h"
 
+#include <set>
+#include <map>
+
 #include <ctype.h>
 typedef int (*cce_func)(int);
 
@@ -33,7 +36,10 @@ extern int re_lex(void);
 extern int clower(int);
 extern void synerr(const char str[]);
 
-typedef int_list AcceptingSet;
+typedef int AcceptIdx;
+typedef std::set<AcceptIdx> AcceptingSet;
+typedef uint64 MatchPos;
+typedef std::map<AcceptIdx, MatchPos> AcceptingMatchSet;
 typedef name_list string_list;
 
 typedef enum { MATCH_ANYWHERE, MATCH_EXACTLY, } match_type;
@@ -135,8 +141,8 @@ public:
 		current_state = 0;
 		}
 
-	const AcceptingSet* Accepted() const	{ return &accepted; }
-	const int_list* MatchPositions() const	{ return &match_pos; }
+	const AcceptingMatchSet& AcceptedMatches() const
+		{ return accepted_matches; }
 
 	// Returns the number of bytes feeded into the matcher so far
 	int Length()	{ return current_pos; }
@@ -149,16 +155,16 @@ public:
 		{
 		current_pos = -1;
 		current_state = 0;
-		accepted.clear();
-		match_pos.clear();
+		accepted_matches.clear();
 		}
 
+	void AddMatches(const AcceptingSet& as, MatchPos position);
+
 protected:
 	DFA_Machine* dfa;
 	int* ecs;
 
-	AcceptingSet accepted;
-	int_list match_pos;
+	AcceptingMatchSet accepted_matches;
 	DFA_State* current_state;
 	int current_pos;
 };
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 5e9dff0a1f..5cea843c8d 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -594,6 +594,29 @@ RuleFileMagicState* RuleMatcher::InitFileMagic() const
 	return state;
 	}
 
+bool RuleMatcher::AllRulePatternsMatched(const Rule* r, MatchPos matchpos,
+                                         const AcceptingMatchSet& ams)
+	{
+	DBG_LOG(DBG_RULES, "Checking rule: %s", r->id);
+
+	// Check whether all patterns of the rule have matched.
+	loop_over_list(r->patterns, j)
+		{
+		if ( ams.find(r->patterns[j]->id) == ams.end() )
+			return false;
+
+		// See if depth is satisfied.
+		if ( matchpos > r->patterns[j]->offset + r->patterns[j]->depth )
+			return false;
+
+		// FIXME: How to check for offset ??? ###
+		}
+
+	DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
+
+	return true;
+	}
+
 RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
                                               const u_char* data, uint64 len,
                                               MIME_Matches* rval) const
@@ -636,56 +659,39 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 
 	DBG_LOG(DBG_RULES, "New pattern match found");
 
-	AcceptingSet accepted;
-	int_list matchpos;
+	AcceptingMatchSet accepted_matches;
 
 	loop_over_list(state->matchers, y)
 		{
 		RuleFileMagicState::Matcher* m = state->matchers[y];
-		const AcceptingSet* ac = m->state->Accepted();
-
-		loop_over_list(*ac, k)
-			{
-			if ( ! accepted.is_member((*ac)[k]) )
-				{
-				accepted.append((*ac)[k]);
-				matchpos.append((*m->state->MatchPositions())[k]);
-				}
-			}
+		const AcceptingMatchSet& ams = m->state->AcceptedMatches();
+		accepted_matches.insert(ams.begin(), ams.end());
 		}
 
 	// Find rules for which patterns have matched.
-	rule_list matched;
+	set<Rule*> rule_matches;
 
-	loop_over_list(accepted, i)
+	for ( AcceptingMatchSet::const_iterator it = accepted_matches.begin();
+	      it != accepted_matches.end(); ++it )
 		{
-		Rule* r = Rule::rule_table[accepted[i] - 1];
+		AcceptIdx aidx = it->first;
+		MatchPos mpos = it->second;
 
-		DBG_LOG(DBG_RULES, "Checking rule: %v", r->id);
+		Rule* r = Rule::rule_table[aidx - 1];
 
-		loop_over_list(r->patterns, j)
-			{
-			if ( ! accepted.is_member(r->patterns[j]->id) )
-				continue;
-
-			if ( (unsigned int) matchpos[i] >
-			     r->patterns[j]->offset + r->patterns[j]->depth )
-				continue;
-
-			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
-			}
-
-		if ( ! matched.is_member(r) )
-			matched.append(r);
+		if ( AllRulePatternsMatched(r, mpos, accepted_matches) )
+			rule_matches.insert(r);
 		}
 
-	loop_over_list(matched, j)
+	for ( set<Rule*>::const_iterator it = rule_matches.begin();
+	      it != rule_matches.end(); ++it )
 		{
-		Rule* r = matched[j];
+		Rule* r = *it;
 
 		loop_over_list(r->actions, rai)
 			{
-			const RuleActionMIME* ram = dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
+			const RuleActionMIME* ram =
+			       dynamic_cast<const RuleActionMIME*>(r->actions[rai]);
 
 			if ( ! ram )
 				continue;
@@ -876,66 +882,40 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 
 	DBG_LOG(DBG_RULES, "New pattern match found");
 
-	// Build a joined AcceptingSet.
-	AcceptingSet accepted;
-	int_list matchpos;
+	AcceptingMatchSet accepted_matches;
 
-	loop_over_list(state->matchers, y)
+	loop_over_list(state->matchers, y )
 		{
 		RuleEndpointState::Matcher* m = state->matchers[y];
-		const AcceptingSet* ac = m->state->Accepted();
-
-		loop_over_list(*ac, k)
-			{
-			if ( ! accepted.is_member((*ac)[k]) )
-				{
-				accepted.append((*ac)[k]);
-				matchpos.append((*m->state->MatchPositions())[k]);
-				}
-			}
+		const AcceptingMatchSet& ams = m->state->AcceptedMatches();
+		accepted_matches.insert(ams.begin(), ams.end());
 		}
 
 	// Determine the rules for which all patterns have matched.
 	// This code should be fast enough as long as there are only very few
 	// matched patterns per connection (which is a plausible assumption).
 
-	rule_list matched;
+	// Find rules for which patterns have matched.
+	set<Rule*> rule_matches;
 
-	loop_over_list(accepted, i)
+	for ( AcceptingMatchSet::const_iterator it = accepted_matches.begin();
+	      it != accepted_matches.end(); ++it )
 		{
-		Rule* r = Rule::rule_table[accepted[i] - 1];
+		AcceptIdx aidx = it->first;
+		MatchPos mpos = it->second;
 
-		DBG_LOG(DBG_RULES, "Checking rule: %s", r->id);
+		Rule* r = Rule::rule_table[aidx - 1];
 
-		// Check whether all patterns of the rule have matched.
-		loop_over_list(r->patterns, j)
-			{
-			if ( ! accepted.is_member(r->patterns[j]->id) )
-				goto next_pattern;
-
-			// See if depth is satisfied.
-			if ( (unsigned int) matchpos[i] >
-			     r->patterns[j]->offset + r->patterns[j]->depth )
-				goto next_pattern;
-
-			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
-
-			// FIXME: How to check for offset ??? ###
-			}
-
-		// If not already in the list of matching rules, add it.
-		if ( ! matched.is_member(r) )
-			matched.append(r);
-
-next_pattern:
-		continue;
+		if ( AllRulePatternsMatched(r, mpos, accepted_matches) )
+			rule_matches.insert(r);
 		}
 
 	// Check which of the matching rules really belong to any of our nodes.
 
-	loop_over_list(matched, j)
+	for ( set<Rule*>::const_iterator it = rule_matches.begin();
+	      it != rule_matches.end(); ++it )
 		{
-		Rule* r = matched[j];
+		Rule* r = *it;
 
 		DBG_LOG(DBG_RULES, "Accepted rule: %s", r->id);
 
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 52e00f6bad..da2838cb6d 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -361,6 +361,9 @@ private:
 
 	void DumpStateStats(BroFile* f, RuleHdrTest* hdr_test);
 
+	static bool AllRulePatternsMatched(const Rule* r, MatchPos matchpos,
+	                                   const AcceptingMatchSet& ams);
+
 	int RE_level;
 	bool parse_error;
 	RuleHdrTest* root;

From e24f3f5fd514832ecb26c9b606b9dbfed56792f2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 22 Apr 2014 16:32:22 -0700
Subject: [PATCH 182/220] Updating CHANGES and VERSION.

---
 CHANGES                             | 4 ++++
 aux/broctl                          | 2 +-
 scripts/base/protocols/dns/main.bro | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d91a2e4700..aad47320de 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-341 | 2014-04-17 18:01:41 -0500
+
+  * Fix duplicate DNS log entries. (Robin Sommer)
+
 2.2-341 | 2014-04-17 18:01:01 -0500
 
   * Refactor initialization of ASCII log writer options. (Jon Siwek)
diff --git a/aux/broctl b/aux/broctl
index d99150801b..f249570e3f 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d99150801b7844e082b5421d1efe4050702d350e
+Subproject commit f249570e3fb4c83e532cc0813786f0ff60c4dea9
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index fe371de2a8..d7280602e6 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -183,7 +183,7 @@ function log_unmatched_msgs(msgs: PendingMessages)
 	for ( trans_id in msgs )
 		log_unmatched_msgs_queue(msgs[trans_id]);
 
-	msgs = PendingMessages();
+	clear_table(msgs);
 	}
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)

From b9e956176e83cbc28ff785fb598c980e6e26c8ff Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 22 Apr 2014 21:35:30 -0700
Subject: [PATCH 183/220] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 aux/broctl  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 3f86e2d5db..5c0043d587 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 3f86e2d5db2a0c5f2f104b15f359f4b752bb4558
+Subproject commit 5c0043d587314c57070e5362762e3e0f6408c2be
diff --git a/aux/broctl b/aux/broctl
index f249570e3f..d99150801b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f249570e3fb4c83e532cc0813786f0ff60c4dea9
+Subproject commit d99150801b7844e082b5421d1efe4050702d350e

From 782615e9ddea93c5ea46d21f7001e48fa7e8ef00 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 10:44:47 -0500
Subject: [PATCH 184/220] Remove unused Val::attribs member.

---
 src/Serializer.h |  2 +-
 src/Val.cc       |  7 -------
 src/Val.h        | 13 -------------
 3 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/src/Serializer.h b/src/Serializer.h
index af4878ccf5..543797a7af 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -125,7 +125,7 @@ protected:
 
 	// This will be increased whenever there is an incompatible change
 	// in the data format.
-	static const uint32 DATA_FORMAT_VERSION = 24;
+	static const uint32 DATA_FORMAT_VERSION = 25;
 
 	ChunkedIO* io;
 
diff --git a/src/Val.cc b/src/Val.cc
index aa9c888d49..2d75680182 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -32,7 +32,6 @@ Val::Val(Func* f)
 	val.func_val = f;
 	::Ref(val.func_val);
 	type = f->FType()->Ref();
-	attribs = 0;
 #ifdef DEBUG
 	bound_id = 0;
 #endif
@@ -49,7 +48,6 @@ Val::Val(BroFile* f)
 	assert(f->FType()->Tag() == TYPE_STRING);
 	type = string_file_type->Ref();
 
-	attribs = 0;
 #ifdef DEBUG
 	bound_id = 0;
 #endif
@@ -190,8 +188,6 @@ bool Val::DoSerialize(SerialInfo* info) const
 	if ( ! type->Serialize(info) )
 		return false;
 
-	SERIALIZE_OPTIONAL(attribs);
-
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_VOID:
 		info->s->Error("type is void");
@@ -251,9 +247,6 @@ bool Val::DoUnserialize(UnserialInfo* info)
 	if ( ! (type = BroType::Unserialize(info)) )
 		return false;
 
-	UNSERIALIZE_OPTIONAL(attribs,
-		(RecordVal*) Val::Unserialize(info, TYPE_RECORD));
-
 	switch ( type->InternalType() ) {
 	case TYPE_INTERNAL_VOID:
 		info->s->Error("type is void");
diff --git a/src/Val.h b/src/Val.h
index b94cb2d621..58b24a3e5d 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -80,7 +80,6 @@ public:
 		{
 		val.int_val = b;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -90,7 +89,6 @@ public:
 		{
 		val.int_val = bro_int_t(i);
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -100,7 +98,6 @@ public:
 		{
 		val.uint_val = bro_uint_t(u);
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -110,7 +107,6 @@ public:
 		{
 		val.int_val = i;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -120,7 +116,6 @@ public:
 		{
 		val.uint_val = u;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -130,7 +125,6 @@ public:
 		{
 		val.double_val = d;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -145,7 +139,6 @@ public:
 	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
 		{
 		type = new TypeType(t->Ref());
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -155,7 +148,6 @@ public:
 		{
 		val.int_val = 0;
 		type = base_type(TYPE_ERROR);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -364,7 +356,6 @@ protected:
 		{
 		val.string_val = s;
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -376,7 +367,6 @@ protected:
 	Val(TypeTag t)
 		{
 		type = base_type(t);
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -385,7 +375,6 @@ protected:
 	Val(BroType* t)
 		{
 		type = t->Ref();
-		attribs = 0;
 #ifdef DEBUG
 		bound_id = 0;
 #endif
@@ -400,7 +389,6 @@ protected:
 
 	BroValUnion val;
 	BroType* type;
-	RecordVal* attribs;
 
 #ifdef DEBUG
 	// For debugging, we keep the name of the ID to which a Val is bound.
@@ -944,7 +932,6 @@ public:
 		{
 		val.int_val = i;
 		type = t;
-		attribs = 0;
 		}
 
 	Val* SizeVal() const	{ return new Val(val.int_val, TYPE_INT); }

From 02504897306075c2b9a42603e0f776fbe4688590 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:14:13 -0500
Subject: [PATCH 185/220] Adapt IRC/FTP analyzers to cache file analysis IDs.

---
 src/analyzer/protocol/file/File.cc | 71 ++++++++++--------------------
 src/analyzer/protocol/file/File.h  | 22 ++++-----
 2 files changed, 32 insertions(+), 61 deletions(-)

diff --git a/src/analyzer/protocol/file/File.cc b/src/analyzer/protocol/file/File.cc
index 4476043721..4ea8dffaa8 100644
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@@ -31,12 +31,25 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		if ( buffer_len == BUFFER_SIZE )
 			Identify();
 		}
-	return;
+
+	if ( orig )
+		file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		                                orig, file_id_orig);
+	else
+		file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(),
+		                                orig, file_id_resp);
 	}
 
 void File_Analyzer::Undelivered(int seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+	if ( orig )
+		file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		                             file_id_orig);
+	else
+		file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig,
+		                             file_id_resp);
 	}
 
 void File_Analyzer::Done()
@@ -45,6 +58,16 @@ void File_Analyzer::Done()
 
 	if ( buffer_len && buffer_len != BUFFER_SIZE )
 		Identify();
+
+	if ( ! file_id_orig.empty() )
+		file_mgr->EndOfFile(file_id_orig);
+	else
+		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
+
+	if ( ! file_id_resp.empty() )
+		file_mgr->EndOfFile(file_id_resp);
+	else
+		file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
 	}
 
 void File_Analyzer::Identify()
@@ -61,49 +84,3 @@ void File_Analyzer::Identify()
 	vl->append(new StringVal(match));
 	ConnectionEvent(file_transferred, vl);
 	}
-
-IRC_Data::IRC_Data(Connection* conn)
-	: File_Analyzer("IRC_Data", conn)
-	{
-	}
-
-void IRC_Data::Done()
-	{
-	File_Analyzer::Done();
-	file_mgr->EndOfFile(GetAnalyzerTag(), Conn());
-	}
-
-void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	File_Analyzer::DeliverStream(len, data, orig);
-	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-void IRC_Data::Undelivered(int seq, int len, bool orig)
-	{
-	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-FTP_Data::FTP_Data(Connection* conn)
-	: File_Analyzer("FTP_Data", conn)
-	{
-	}
-
-void FTP_Data::Done()
-	{
-	File_Analyzer::Done();
-	file_mgr->EndOfFile(GetAnalyzerTag(), Conn());
-	}
-
-void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
-	{
-	File_Analyzer::DeliverStream(len, data, orig);
-	file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig);
-	}
-
-void FTP_Data::Undelivered(int seq, int len, bool orig)
-	{
-	File_Analyzer::Undelivered(seq, len, orig);
-	file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig);
-	}
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 7afbd569c4..9376dcc7c3 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -28,17 +28,15 @@ protected:
 	static const int BUFFER_SIZE = 1024;
 	char buffer[BUFFER_SIZE];
 	int buffer_len;
+	string file_id_orig;
+	string file_id_resp;
 };
 
 class IRC_Data : public File_Analyzer {
 public:
-	IRC_Data(Connection* conn);
-
-	virtual void Done();
-
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-
-	virtual void Undelivered(int seq, int len, bool orig);
+	IRC_Data(Connection* conn)
+		: File_Analyzer("IRC_Data", conn)
+		{ }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new IRC_Data(conn); }
@@ -46,13 +44,9 @@ public:
 
 class FTP_Data : public File_Analyzer {
 public:
-	FTP_Data(Connection* conn);
-
-	virtual void Done();
-
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-
-	virtual void Undelivered(int seq, int len, bool orig);
+	FTP_Data(Connection* conn)
+		: File_Analyzer("FTP_Data", conn)
+		{ }
 
 	static Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new FTP_Data(conn); }

From de8f8f87b69b562d8afb71b1dd19d8ae41478256 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:26:18 -0500
Subject: [PATCH 186/220] Adapt more of HTTP analyzer to use cached file
 analysis IDs.

Some EndOfFile calls can re-use a cached file ID.
---
 src/analyzer/protocol/http/HTTP.cc | 24 +++++++++++++++++++-----
 src/analyzer/protocol/http/HTTP.h  |  1 +
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index f676643b7c..bc0081ab52 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -583,9 +583,16 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 	top_level->EndOfData();
 
 	if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
-		// multipart/byteranges may span multiple connections
-		file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
-		                    MyHTTP_Analyzer()->Conn(), is_orig);
+		{
+		// multipart/byteranges may span multiple connections, so don't EOF.
+		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(top_level);
+
+		if ( he && ! he->FileID().empty() )
+			file_mgr->EndOfFile(he->FileID());
+		else
+			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			                    MyHTTP_Analyzer()->Conn(), is_orig);
+		}
 
 	if ( http_message_done )
 		{
@@ -663,8 +670,15 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 		Done();
 
 	else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
-		file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
-		                    MyHTTP_Analyzer()->Conn(), is_orig);
+		{
+		HTTP_Entity* he = dynamic_cast<HTTP_Entity*>(entity);
+
+		if ( he && ! he->FileID().empty() )
+			file_mgr->EndOfFile(he->FileID());
+		else
+			file_mgr->EndOfFile(MyHTTP_Analyzer()->GetAnalyzerTag(),
+			                    MyHTTP_Analyzer()->Conn(), is_orig);
+		}
 	}
 
 void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 48a611b63b..0318dc9601 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -46,6 +46,7 @@ public:
 	int64_t BodyLength() const 		{ return body_length; }
 	int64_t HeaderLength() const 	{ return header_length; }
 	void SkipBody() 		{ deliver_body = 0; }
+	const string& FileID() const  { return precomputed_file_id; }
 
 protected:
 	class UncompressedOutput;

From 4ae52d9e1c0153282a012ec38d910a106bc77117 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 23 Apr 2014 14:34:06 -0700
Subject: [PATCH 187/220] Support parsing of several TLS extensions.

At the moment, we have support for:
elliptic_curves: client supported elliptic curves
ec_point_formats: list of client supported EC point formats
application_layer_protocol_negotiation: list of supported application layer protocols (used for spdy/http2 negotiation)
server_name: server name sent by client. This was supported before, but... a bit brittle.
---
 scripts/base/frameworks/notice/weird.bro   |   1 +
 scripts/base/protocols/ssl/main.bro        |  10 +-
 src/analyzer/protocol/ssl/events.bif       |   8 +
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 161 ++++++++++++++++-----
 src/analyzer/protocol/ssl/ssl-defs.pac     |  32 ++++
 src/analyzer/protocol/ssl/ssl-protocol.pac |  90 ++++++++++--
 6 files changed, 252 insertions(+), 50 deletions(-)

diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index e7faf38df4..474f021cef 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -185,6 +185,7 @@ export {
 		["RPC_underflow"]                       = ACTION_LOG,
 		["RST_storm"]                           = ACTION_LOG,
 		["RST_with_data"]                       = ACTION_LOG,
+		["SSL_many_server_names"]               = ACTION_LOG,
 		["simultaneous_open"]                   = ACTION_LOG_PER_CONN,
 		["spontaneous_FIN"]                     = ACTION_IGNORE,
 		["spontaneous_RST"]                     = ACTION_IGNORE,
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 5b974222a1..eb128483a4 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -159,12 +159,16 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &priority=5
+event tls_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 
-	if ( is_orig && extensions[code] == "server_name" )
-		c$ssl$server_name = sub_bytes(val, 6, |val|);
+	if ( is_orig && |names| > 0 )
+		{
+		c$ssl$server_name = names[0];
+		if ( |names| > 1 )
+			event conn_weird("SSL_many_server_names", c, cat(names));
+		}
 	}
 
 event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) &priority=5
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index a11e7bcc68..457d18ea39 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -80,6 +80,14 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ##    ssl_session_ticket_handshake
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
+event tls_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+
+event tls_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+
+event tls_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+
+event tls_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index b6422584e3..043b2271ec 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -86,23 +86,19 @@ function version_ok(vers : uint16) : bool
 
 refine connection SSL_Conn += {
 
-	%member{
-		int eof;
-	%}
-
-	%init{
-		eof=0;
-	%}
-
-	#%eof{
-	#	if ( ! eof &&
-	#	     state_ != STATE_CONN_ESTABLISHED &&
-	#	     state_ != STATE_TRACK_LOST &&
-	#	     state_ != STATE_INITIAL )
-	#		bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection in state %s",
-	#			state_label(state_).c_str()));
-	#	++eof;
-	#%}
+#	%member{
+#		int eof;
+#	%}
+#
+#	%init{
+#		eof=0;
+#	%}
+#
+#	%eof{
+#		if ( ! eof  )
+#			bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection"));
+#		++eof;
+#	%}
 
 	%cleanup{
 	%}
@@ -198,12 +194,104 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_ssl_extension(rec: SSLRecord, type: int, data: bytestring) : bool
+	function proc_ssl_extension(rec: SSLRecord, type: int, sourcedata: const_bytestring) : bool
 		%{
+		// we cheat a little bit here. We want to throw this event for every extension we encounter,
+		// even those that are handled by more specialized events later.
+		// To access the parsed data, we use sourcedata, which contains the whole data blob of
+		// the extension, including headers. We skip over those (4 bytes).
+		size_t length = sourcedata.length();
+		if ( length < 4 )
+			{
+			// this should be impossible due to the binpac parser and protocol description
+			bro_analyzer()->ProtocolViolation(fmt("Impossible extension length: %lu", length));
+			return true;
+			}
+		length -= 4;
+		const unsigned char* data = sourcedata.begin() + 4;
+
 		if ( ssl_extension )
 			BifEvent::generate_ssl_extension(bro_analyzer(),
 						bro_analyzer()->Conn(), ${rec.is_orig}, type,
-						new StringVal(data.length(), (const char*) data.data()));
+						new StringVal(length, reinterpret_cast<const char*>(data)));
+		return true;
+		%}
+
+	function proc_ec_point_formats(rec: SSLRecord, point_format_list: uint8[]) : bool
+		%{
+		VectorVal* points = new VectorVal(internal_type("index_vec")->AsVectorType());
+		if ( point_format_list )
+			{
+			for ( unsigned int i = 0; i < point_format_list->size(); ++i )
+				{
+				points->Assign(i, new Val((*point_format_list)[i], TYPE_COUNT));
+				}
+			}
+
+		BifEvent::generate_tls_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, points);
+
+		return true;
+		%}
+
+	function proc_elliptic_curves(rec: SSLRecord, list: uint16[]) : bool
+		%{
+		VectorVal* curves = new VectorVal(internal_type("index_vec")->AsVectorType());
+		if ( list )
+			{
+			for ( unsigned int i = 0; i < list->size(); ++i )
+				{
+				curves->Assign(i, new Val((*list)[i], TYPE_COUNT));
+				}
+			}
+
+		BifEvent::generate_tls_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, curves);
+
+		return true;
+		%}
+
+	function proc_apnl(rec: SSLRecord, protocols: ProtocolName[]) : bool
+		%{
+		VectorVal* plist = new VectorVal(internal_type("string_vec")->AsVectorType());
+		if ( protocols )
+			{
+			for ( unsigned int i = 0; i < protocols->size(); ++i )
+				{
+				plist->Assign(i, new StringVal((*protocols)[i]->name().length(), (const char*) (*protocols)[i]->name().data()));
+				}
+			}
+
+		BifEvent::generate_tls_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, plist);
+
+		return true;
+		%}
+
+	function proc_server_name(rec: SSLRecord, list: ServerName[]) : bool
+		%{
+		VectorVal* servers = new VectorVal(internal_type("string_vec")->AsVectorType());
+		if ( list )
+			{
+			for ( unsigned int i = 0, j=0; i < list->size(); ++i )
+				{
+				ServerName* servername = (*list)[i];
+				if ( servername->name_type() != 0 )
+					{
+					bro_analyzer()->Weird(fmt("Encountered unknown type in server name tls extension: %d", servername->name_type()));
+					continue;
+					}
+
+				if ( servername->host_name() )
+					servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data()));
+				else
+					bro_analyzer()->Weird("Empty server_name extension in tls connection");
+				}
+			}
+
+		BifEvent::generate_tls_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
+		   ${rec.is_orig}, servers);
+
 		return true;
 		%}
 
@@ -233,9 +321,9 @@ refine connection SSL_Conn += {
 		return ret;
 		%}
 
-	function proc_v3_certificate(rec: SSLRecord, cl : CertificateList) : bool
+	function proc_v3_certificate(rec: SSLRecord, cl : X509Certificate[]) : bool
 		%{
-		vector<X509Certificate*>* certs = cl->val();
+		vector<X509Certificate*>* certs = cl;
 		vector<bytestring>* cert_list = new vector<bytestring>();
 
 		std::transform(certs->begin(), certs->end(),
@@ -303,11 +391,6 @@ refine connection SSL_Conn += {
 
 };
 
-#refine typeattr ChangeCipherSpec += &let {
-#	proc : bool = $context.connection.proc_change_cipher_spec(rec)
-#		&requires(state_changed);
-#};
-
 refine typeattr Alert += &let {
 	proc : bool = $context.connection.proc_alert(rec, level, description);
 };
@@ -316,10 +399,6 @@ refine typeattr V2Error += &let {
 	proc : bool = $context.connection.proc_alert(rec, -1, error_code);
 };
 
-#refine typeattr ApplicationData += &let {
-#	proc : bool = $context.connection.proc_application_data(rec);
-#};
-
 refine typeattr Heartbeat += &let {
 	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
 };
@@ -363,10 +442,6 @@ refine typeattr UnknownHandshake += &let {
 	proc : bool = $context.connection.proc_unknown_handshake(hs, is_orig);
 };
 
-#refine typeattr Handshake += &let {
-#	proc : bool = $context.connection.proc_handshake(this, rec.is_orig);
-#};
-
 refine typeattr SessionTicketHandshake += &let {
 	proc : bool = $context.connection.proc_session_ticket_handshake(this, rec.is_orig);
 }
@@ -380,5 +455,21 @@ refine typeattr CiphertextRecord += &let {
 }
 
 refine typeattr SSLExtension += &let {
-	proc : bool = $context.connection.proc_ssl_extension(rec, type, data);
+	proc : bool = $context.connection.proc_ssl_extension(rec, type, sourcedata);
+};
+
+refine typeattr EcPointFormats += &let {
+	proc : bool = $context.connection.proc_ec_point_formats(rec, point_format_list);
+};
+
+refine typeattr EllipticCurves += &let {
+	proc : bool = $context.connection.proc_elliptic_curves(rec, elliptic_curve_list);
+};
+
+refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
+	proc : bool = $context.connection.proc_apnl(rec, protocol_name_list);
+};
+
+refine typeattr ServerNameExt += &let {
+	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 23fa7abce5..24827d3621 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -20,6 +20,7 @@ enum ContentType {
 	UNKNOWN_OR_V2_ENCRYPTED = 400
 };
 
+# If you add a new TLS version here, do not forget to also adjust the DPD signature.
 enum SSLVersions {
 	UNKNOWN_VERSION	= 0x0000,
 	SSLv20		= 0x0002,
@@ -28,3 +29,34 @@ enum SSLVersions {
 	TLSv11		= 0x0302,
 	TLSv12		= 0x0303
 };
+
+enum SSLExtensions {
+	EXT_SERVER_NAME = 0,
+	EXT_MAX_FRAGMENT_LENGTH = 1,
+	EXT_CLIENT_CERTIFICATE_URL = 2,
+	EXT_TRUSTED_CA_KEYS = 3,
+	EXT_TRUNCATED_HMAC = 4,
+	EXT_STATUS_REQUEST = 5,
+	EXT_USER_MAPPING = 6,
+	EXT_CLIENT_AUTHZ = 7,
+	EXT_SERVER_AUTHZ = 8,
+	EXT_CERT_TYPE = 9,
+	EXT_ELLIPTIC_CURVES = 10,
+	EXT_EC_POINT_FORMATS = 11,
+	EXT_SRP = 12,
+	EXT_SIGNATURE_ALGORITHMS = 13,
+	EXT_USE_SRTP = 14,
+	EXT_HEARTBEAT = 15,
+	EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16,
+	EXT_STATUS_REQUEST_V2 = 17,
+	EXT_SIGNED_CERTIFICATE_TIMESTAMP = 18,
+	EXT_SESSIONTICKET_TLS = 35,
+	EXT_EXTENDED_RANDOM = 40,
+	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
+	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
+	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
+	EXT_CHANNEL_ID = 30031,
+	EXT_CHANNEL_ID_NEW = 30032,
+	EXT_PADDING = 35655,
+	EXT_RENEGOTIATION_INFO = 65281
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index d32d926f65..857bd01f26 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -69,14 +69,81 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	default			-> unknown_record : UnknownRecord(rec);
 };
 
+######################################################################
+# TLS Extensions
+######################################################################
+
 type SSLExtension(rec: SSLRecord) = record {
 	type: uint16;
 	data_len: uint16;
-	data: bytestring &length=data_len;
+
+	# Pretty code ahead. Deal with the fact that perhaps extensions are not really present and we do not want to fail because of that.
+	ext: case type of {
+		EXT_APPLICATION_LAYER_PROTOCOL_NEGOTIATION -> apnl: ApplicationLayerProtocolNegotiationExtension(rec)[] &until($element == 0 || $element != 0);
+		EXT_ELLIPTIC_CURVES -> elliptic_curves: EllipticCurves(rec)[] &until($element == 0 || $element != 0);
+		EXT_EC_POINT_FORMATS -> ec_point_formats: EcPointFormats(rec)[] &until($element == 0 || $element != 0);
+#		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
+		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
+		default -> data: bytestring &restofdata;
+	};
+} &length=data_len+4 &exportsourcedata;
+
+type ServerNameHostName() = record {
+	length: uint16;
+	host_name: bytestring &length=length;
 };
 
+type ServerName() = record {
+	name_type: uint8; # has to be 0 for host-name
+	name: case name_type of {
+		0 -> host_name: ServerNameHostName;
+		default -> data : bytestring &restofdata; # unknown name
+	};
+};
+
+type ServerNameExt(rec: SSLRecord) = record {
+	length: uint16;
+	server_names: ServerName[] &until($input.length() == 0);
+} &length=length+2;
+
+# Do not parse for now. Structure is correct, but only contains asn.1 data that we would not use further.
+#type OcspStatusRequest(rec: SSLRecord) = record {
+#	responder_id_list_length: uint16;
+#	responder_id_list: bytestring &length=responder_id_list_length;
+#	request_extensions_length: uint16;
+#	request_extensions: bytestring &length=request_extensions_length;
+#};
+#
+#type StatusRequest(rec: SSLRecord) = record {
+#	status_type: uint8; # 1 -> ocsp
+#	req: case status_type of {
+#		1 -> ocsp_status_request: OcspStatusRequest(rec);
+#		default -> data : bytestring &restofdata; # unknown
+#	};
+#};
+
+type EcPointFormats(rec: SSLRecord) = record {
+	length: uint8;
+	point_format_list: uint8[length];
+};
+
+type EllipticCurves(rec: SSLRecord) = record {
+	length: uint16;
+	elliptic_curve_list: uint16[length/2];
+};
+
+type ProtocolName() = record {
+  length: uint8;
+	name: bytestring &length=length;
+};
+
+type ApplicationLayerProtocolNegotiationExtension(rec: SSLRecord) = record {
+	length: uint16;
+	protocol_name_list: ProtocolName[] &until($input.length() == 0);
+} &length=length+2;
+
 ######################################################################
-# state management according to Section 7.3. in spec
+# Encryption Tracking
 ######################################################################
 
 enum AnalyzerState {
@@ -173,10 +240,6 @@ type Heartbeat(rec: SSLRecord) = record {
 	data : bytestring &restofdata;
 };
 
-######################################################################
-# Handshake Protocol (7.4.)
-######################################################################
-
 ######################################################################
 # V3 Hello Request (7.4.1.1.)
 ######################################################################
@@ -205,7 +268,6 @@ type ClientHello(rec: SSLRecord) = record {
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
 };
 
-
 ######################################################################
 # V2 Client Hello (SSLv2 2.5.)
 ######################################################################
@@ -270,13 +332,17 @@ type X509Certificate = record {
 	certificate : bytestring &length = to_int()(length);
 };
 
-type CertificateList = X509Certificate[] &until($input.length() == 0);
-
 type Certificate(rec: SSLRecord) = record {
 	length : uint24;
-	certificates : CertificateList &length = to_int()(length);
-};
+	certificates : X509Certificate[] &until($input.length() == 0);
+} &length = to_int()(length)+3;
 
+# OCSP Stapling
+
+type CertificateStatus(rec: SSLRecord) = record {
+	status_type: uint8; # 1 = ocsp, everything else is undefined
+	response: bytestring &restofdata;
+};
 
 ######################################################################
 # V3 Server Key Exchange Message (7.4.3.)
@@ -394,7 +460,7 @@ type Handshake(rec: SSLRecord) = record {
 		CLIENT_KEY_EXCHANGE -> client_key_exchange : ClientKeyExchange(rec);
 		FINISHED            -> finished            : Finished(rec);
 		CERTIFICATE_URL     -> certificate_url     : bytestring &restofdata &transient;
-		CERTIFICATE_STATUS  -> certificate_status  : bytestring &restofdata &transient;
+		CERTIFICATE_STATUS  -> certificate_status  : CertificateStatus(rec);
 		default             -> unknown_handshake   : UnknownHandshake(this, rec.is_orig);
 	} &length = to_int()(length);
 };

From 58efa09426d330901adf6f11aeaa6041b06210d1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 23 Apr 2014 16:57:19 -0500
Subject: [PATCH 188/220] Adapt SSL analyzer to generate file analysis handles
 itself.

---
 scripts/base/protocols/ssl/files.bro       | 18 ++----------------
 src/Conn.cc                                | 11 +++++++++++
 src/Conn.h                                 |  1 +
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 19 +++++++++++++++----
 4 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 6b33c0f87b..fbdd6e454e 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -52,22 +52,8 @@ export {
 
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	set_session(c);
-
-	local depth: count;
-
-	if ( is_orig )
-		{
-		depth = c$ssl$client_depth;
-		++c$ssl$client_depth;
-		}
-	else
-		{
-		depth = c$ssl$server_depth;
-		++c$ssl$server_depth;
-		}
-
-	return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
+	# Unused.  File handles are generated in the analyzer.
+	return "";
 	}
 
 function describe_file(f: fa_file): string
diff --git a/src/Conn.cc b/src/Conn.cc
index fa89f26d35..bc62902421 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -811,6 +811,17 @@ void Connection::Describe(ODesc* d) const
 	d->NL();
 	}
 
+void Connection::IDString(ODesc* d) const
+	{
+	d->Add(orig_addr);
+	d->AddRaw(":", 1);
+	d->Add(ntohs(orig_port));
+	d->AddRaw(" > ", 3);
+	d->Add(resp_addr);
+	d->AddRaw(":", 1);
+	d->Add(ntohs(resp_port));
+	}
+
 bool Connection::Serialize(SerialInfo* info) const
 	{
 	return SerialObj::Serialize(info);
diff --git a/src/Conn.h b/src/Conn.h
index d982d3879d..966c77a9f8 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -204,6 +204,7 @@ public:
 	bool IsPersistent()	{ return persistent; }
 
 	void Describe(ODesc* d) const;
+	void IDString(ODesc* d) const;
 
 	TimerMgr* GetTimerMgr() const;
 
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..5f9d092440 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -231,15 +231,26 @@ refine connection SSL_Conn += {
 		if ( certificates->size() == 0 )
 			return true;
 
+		ODesc common;
+		common.AddRaw("Analyzer::ANALYZER_SSL");
+		common.Add(bro_analyzer()->Conn()->StartTime());
+		common.AddRaw(${rec.is_orig} ? "T" : "F", 1);
+		bro_analyzer()->Conn()->IDString(&common);
+
 		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
 			const bytestring& cert = (*certificates)[i];
 
-			string fid = file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(),
-						      bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(),
-						      ${rec.is_orig});
+			ODesc file_handle;
+			file_handle.Add(common.Description());
+			file_handle.Add(i);
 
-			file_mgr->EndOfFile(fid);
+			string file_id = file_mgr->HashHandle(file_handle.Description());
+
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
+			                 cert.length(), bro_analyzer()->GetAnalyzerTag(),
+			                 bro_analyzer()->Conn(), ${rec.is_orig}, file_id);
+			file_mgr->EndOfFile(file_id);
 			}
 		return true;
 		%}

From d3972afa97c86dedf2977caa03c1b9374eb43773 Mon Sep 17 00:00:00 2001
From: Mareq <mareq@balint.eu>
Date: Thu, 24 Apr 2014 16:40:57 +0100
Subject: [PATCH 189/220] Do not repeat hex-code of decoded quoted-printable.

---
 src/analyzer/protocol/mime/MIME.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index f4e7d3981f..6f992c9256 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -1044,6 +1044,7 @@ void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
 						{
 						DataOctet((a << 4) + b);
 						legal = 1;
+						i += 2;
 						}
 					}
 

From d3b27eb0c1329f7def8e49dde6d2048d62fdd777 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 24 Apr 2014 10:47:57 -0500
Subject: [PATCH 190/220] Adapt HTTP partial content to cache file analysis
 IDs.

The initial file ID I think is still ambiguous and/or depends on
script-layer state tracking enough that it still needs to request a file
ID via an event at first, but once that is assigned to an HTTP (MIME)
entity, it never makes sense that it can change (so re-using a cached ID
works).
---
 src/analyzer/protocol/http/HTTP.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index bc0081ab52..feddeb00a9 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -243,10 +243,10 @@ int HTTP_Entity::Undelivered(int64_t len)
 		return 0;
 
 	if ( is_partial_content )
-		file_mgr->Gap(body_length, len,
+		precomputed_file_id = file_mgr->Gap(body_length, len,
 		              http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 		              http_message->MyHTTP_Analyzer()->Conn(),
-		              http_message->IsOrig());
+		              http_message->IsOrig(), precomputed_file_id);
 	else
 		precomputed_file_id = file_mgr->Gap(body_length, len,
 		                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
@@ -306,15 +306,15 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
 	if ( is_partial_content )
 		{
 		if ( send_size && instance_length > 0 )
-			file_mgr->SetSize(instance_length,
+			precomputed_file_id = file_mgr->SetSize(instance_length,
 			                  http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 			                  http_message->MyHTTP_Analyzer()->Conn(),
-			                  http_message->IsOrig());
+			                  http_message->IsOrig(), precomputed_file_id);
 
-		file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
+		precomputed_file_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
 		                 http_message->MyHTTP_Analyzer()->GetAnalyzerTag(),
 		                 http_message->MyHTTP_Analyzer()->Conn(),
-		                 http_message->IsOrig());
+		                 http_message->IsOrig(), precomputed_file_id);
 
 		offset += len;
 		}

From 9b7eb293f1aaee78a10b21dfd5b581ec268b9e80 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 12:05:21 -0700
Subject: [PATCH 191/220] Add documentation, consts and tests for the new
 events.

This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.

(The heartbeat branch should not have been affected)
---
 scripts/base/protocols/ssl/consts.bro         |  97 ++++++++--------
 scripts/base/protocols/ssl/main.bro           |   4 +-
 scripts/policy/protocols/ssl/heartbleed.bro   |   5 +-
 src/analyzer/protocol/ssl/events.bif          | 104 +++++++++++++++++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  12 +-
 .../.stdout                                   |  13 +++
 .../notice-encrypted.log                      |  10 ++
 .../notice-heartbleed-success.log             |  11 ++
 .../notice-heartbleed.log                     |  10 ++
 .../btest/Traces/tls/chrome-34-google.trace   | Bin 0 -> 11582 bytes
 .../tls/heartbleed-encrypted-success.pcap     | Bin 0 -> 64480 bytes
 .../btest/Traces/tls/heartbleed-success.pcap  | Bin 0 -> 39524 bytes
 testing/btest/Traces/tls/heartbleed.pcap      | Bin 0 -> 22223 bytes
 .../protocols/ssl/tls-extension-events.test   |  26 +++++
 .../policy/protocols/ssl/heartbleed.bro       |  13 +++
 15 files changed, 244 insertions(+), 61 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
 create mode 100644 testing/btest/Traces/tls/chrome-34-google.trace
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted-success.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed-success.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/heartbleed.bro

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 1ccace102c..e60363e14c 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -14,15 +14,15 @@ export {
 		[TLSv11] = "TLSv11",
 		[TLSv12] = "TLSv12",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between numeric codes and human readable strings for alert 
+
+	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {
 		[1] = "warning",
 		[2] = "fatal",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between numeric codes and human readable strings for alert 
+
+	## Mapping between numeric codes and human readable strings for alert
 	## descriptions.
 	const alert_descriptions: table[count] of string = {
 		[0] = "close_notify",
@@ -58,7 +58,7 @@ export {
 		[115] = "unknown_psk_identity",
 		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
+
 	## Mapping between numeric codes and human readable strings for SSL/TLS
 	## extensions.
 	# More information can be found here:
@@ -93,7 +93,50 @@ export {
 		[35655] = "padding",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
+
+	## Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+	const ec_curves: table[count] of string = {
+		[1] = "sect163k1",
+		[2] = "sect163r1",
+		[3] = "sect163r2",
+		[4] = "sect193r1",
+		[5] = "sect193r2",
+		[6] = "sect233k1",
+		[7] = "sect233r1",
+		[8] = "sect239k1",
+		[9] = "sect283k1",
+		[10] = "sect283r1",
+		[11] = "sect409k1",
+		[12] = "sect409r1",
+		[13] = "sect571k1",
+		[14] = "sect571r1",
+		[15] = "secp160k1",
+		[16] = "secp160r1",
+		[17] = "secp160r2",
+		[18] = "secp192k1",
+		[19] = "secp192r1",
+		[20] = "secp224k1",
+		[21] = "secp224r1",
+		[22] = "secp256k1",
+		[23] = "secp256r1",
+		[24] = "secp384r1",
+		[25] = "secp521r1",
+		[26] = "brainpoolP256r1",
+		[27] = "brainpoolP384r1",
+		[28] = "brainpoolP512r1",
+		[0xFF01] = "arbitrary_explicit_prime_curves",
+		[0xFF02] = "arbitrary_explicit_char2_curves"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	## Mapping between numeric codes and human readable string for SSL/TLC EC point formats.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9
+	const ec_point_formats: table[count] of string = {
+		[0] = "uncompressed",
+		[1] = "ansiX962_compressed_prime",
+		[2] = "ansiX962_compressed_char2"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
 	# SSLv2
 	const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
 	const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
@@ -458,8 +501,8 @@ export {
 	const SSL_RSA_WITH_DES_CBC_MD5 = 0xFF82;
 	const SSL_RSA_WITH_3DES_EDE_CBC_MD5 = 0xFF83;
 	const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
-	
-	## This is a table of all known cipher specs.  It can be used for 
+
+	## This is a table of all known cipher specs.  It can be used for
 	## detecting unknown ciphers and for converting the cipher spec
 	## constants into a human readable format.
 	const cipher_desc: table[count] of string = {
@@ -820,43 +863,5 @@ export {
 		[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
 		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-	
-	## Mapping between the constants and string values for SSL/TLS errors.
-	const x509_errors: table[count] of string = {
-		[0]  = "ok",
-		[1]  = "unable to get issuer cert",
-		[2]  = "unable to get crl",
-		[3]  = "unable to decrypt cert signature",
-		[4]  = "unable to decrypt crl signature",
-		[5]  = "unable to decode issuer public key",
-		[6]  = "cert signature failure",
-		[7]  = "crl signature failure",
-		[8]  = "cert not yet valid",
-		[9]  = "cert has expired",
-		[10] = "crl not yet valid",
-		[11] = "crl has expired",
-		[12] = "error in cert not before field",
-		[13] = "error in cert not after field",
-		[14] = "error in crl last update field",
-		[15] = "error in crl next update field",
-		[16] = "out of mem",
-		[17] = "depth zero self signed cert",
-		[18] = "self signed cert in chain",
-		[19] = "unable to get issuer cert locally",
-		[20] = "unable to verify leaf signature",
-		[21] = "cert chain too long",
-		[22] = "cert revoked",
-		[23] = "invalid ca",
-		[24] = "path length exceeded",
-		[25] = "invalid purpose",
-		[26] = "cert untrusted",
-		[27] = "cert rejected",
-		[28] = "subject issuer mismatch",
-		[29] = "akid skid mismatch",
-		[30] = "akid issuer serial mismatch",
-		[31] = "keyusage no certsign",
-		[32] = "unable to get crl issuer",
-		[33] = "unhandled critical extension",
-	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 }
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index eb128483a4..e3c3320f74 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -159,7 +159,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event tls_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 
@@ -198,7 +198,7 @@ event connection_state_remove(c: connection) &priority=-5
 
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
-	if ( atype == Analyzer::ANALYZER_SSL ) 
+	if ( atype == Analyzer::ANALYZER_SSL )
 		{
 		set_session(c);
 		c$ssl$analyzer_id = aid;
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index dc38c66f73..dbf27ec63e 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,6 +1,9 @@
 module Heartbleed;
 
-# Please note - this is not well tested. Use at your own risk.
+# Detect the TLS heartbleed attack. See http://heartbleed.com/
+
+# Do not disable analyzers after detection - otherwhise we will not notice encrypted attacks
+redef SSL::disable_analyzer_after_detection=F;
 
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 457d18ea39..5106552740 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -66,6 +66,8 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
+## Note that Bro offers a few more specialized events for a few extensions.
+##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
@@ -77,16 +79,75 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## val: The raw extension value that was sent in the message.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake
+##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
-event tls_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client in the initial
+## handshake. It gives the list of elliptic curves supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## curves: List of supported elliptic curves.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
-event tls_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client and/or server in the initial
+## handshake. It gives the list of elliptic curve point formats supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-event tls_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent
+## in the initial handshake. It contains the list of client supported application protocols
+## by the client or the server, respectovely.
+##
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name
+event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
-event tls_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+## This SSL/TLS extension is defined in :rfc:`3546` and sent by the client
+## in the initial handshake. It contains the name of the server it is contacting.
+## This information can be used by the server to choose the correct certificate for
+## the host the client wants to contact.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
@@ -147,6 +208,37 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
+## Generated for SSL/TLS heartbeat messages that are sent before session encryption
+## starts. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
+##
+## payload_length: length of the payload of the heartbeat message, according to packet field
+##
+## payload: payload contained in the heartbeat message. Size can differ from payload_length,
+##          if payload_length and actual packet length disagree.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_encrypted_heartbeat
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
+
+## Generated for SSL/TLS heartbeat messages that are sent after session encryption
+## started. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be set to false.
+## Otherwhise this event will never be thrown.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 043b2271ec..66224bf45a 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -228,7 +228,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, points);
 
 		return true;
@@ -245,7 +245,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, curves);
 
 		return true;
@@ -262,7 +262,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, plist);
 
 		return true;
@@ -278,18 +278,18 @@ refine connection SSL_Conn += {
 				ServerName* servername = (*list)[i];
 				if ( servername->name_type() != 0 )
 					{
-					bro_analyzer()->Weird(fmt("Encountered unknown type in server name tls extension: %d", servername->name_type()));
+					bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type()));
 					continue;
 					}
 
 				if ( servername->host_name() )
 					servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data()));
 				else
-					bro_analyzer()->Weird("Empty server_name extension in tls connection");
+					bro_analyzer()->Weird("Empty server_name extension in ssl connection");
 				}
 			}
 
-		BifEvent::generate_tls_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, servers);
 
 		return true;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
new file mode 100644
index 0000000000..8305175edb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -0,0 +1,13 @@
+server_name, 192.168.4.149, 74.125.239.152, [google.de]
+Curves, 192.168.4.149, 74.125.239.152
+secp256r1
+secp384r1
+secp521r1
+Point formats, 192.168.4.149, 74.125.239.152, T
+uncompressed
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3, spdy/3.1, http/1.1]
+Point formats, 192.168.4.149, 74.125.239.152, F
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
new file mode 100644
index 0000000000..863d8dd9c0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-19-05-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-19-05-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
new file mode 100644
index 0000000000..9722e20655
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-30-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-30-54
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
new file mode 100644
index 0000000000..da376c79a0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396973486.753913	CXWv6p3arKYeMETxOg	173.203.79.216	46592	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	162.219.2.166	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-29-46
diff --git a/testing/btest/Traces/tls/chrome-34-google.trace b/testing/btest/Traces/tls/chrome-34-google.trace
new file mode 100644
index 0000000000000000000000000000000000000000..e02d35a5f1f37a6f2525fe7b7465dc9c4f4cf36c
GIT binary patch
literal 11582
zcmb_?2RK%5`2TsAy<eHh&gL~E+1c59XYVaDGczd^8pujQij1;_>_|2VAsR->EdJ+c
zebe|||LgaAx}K}|ocEm1eczw^c|OnmJg<S~vTQhj1irVuJph1#7Zf^1Ith7rfI9dY
z>cG+1*9qYT40cMLS~!3_07y%8N(0hZ0MJ-~Oi>A5zB;B1tFh`(VTK;Q58vC{ivj>R
z5>*aEAdoN^4jzNFtPS)X68;sPqz(^I0k5I{75A%+ee@H_ApjtZ_3;ga3|WBHj499Y
zGG%}kShC3Sxn~3R(NmFd96UokFEa=ow1fru?E)gpf~Zjc&2J$Qtv~wB0-|SzkuV7C
zfym$db%Kx~MBREk01eUt^@E5o6p6+^5UCgh0M!GC2pG@}BDEtBOH}0K-MTgd;v@>|
zv8=^wuE}-+as6AUciRpjQBHe>0KneJ)yM~Ac9VCb8}S-(8_|vAjo6K(fFK|Mhym#U
zA0Q0i0Vn_o0{Vg85dj1MfNSsWZtr5tYh$|ygVKoy-~d<vB|rsG1NZ<OyaT35&<A{+
z1fT_|vAjKO0{8@RzW&F{kK^Fu<H5(z%YQ}_d;|rcz!$(q2#^6JNEiwRhanLt1RQ~c
z!{Ok){lVfg^po`8(kYZ2x}VO~1L@2J)A=ck1fE$j@|7ZxaBDD?P7vvNFYthF6tLe9
zBBJV(!y&{a+rJ_9Z2myB*+)bm09|nCX(A9HHic8Vme=^17kec5<=sv+o8%^CK{Lqv
zlQHT^N!I|7aDW|(_$zz(01^Sf;1Fl~gphz7;{G6u0)Zf)!UqV*0RmD08H$NO24Nx)
z)>#NR3=YS!pjbR|F<MF)Lx_dT8Lbq(K?sAPPyj}mA0LB@h0sG{q2YQu{Adg*bb*J)
zQ{2xSgR+}7KP!eAx`{v^{&CaC*2~S-he76ykAu6HqfY>Xq5$RyB_Y2MMhGLuFMv5F
zBy7BYc?=_p*>A=e+drDZA;6QfbaAwE_i}Tz<fp)pL#D6^2-V!rxcOK*x-sZG+WP(Q
zi{QV0kz>gA{UX5U<oz+wFcC1O{{{&|0f-0~F#z7jgGaz%K)7N!D?ZI$?}=e&JiDsi
zg+w!spjYK>8!xp|PWBJoVXBHN86L(Gg15?A_e^(^;P22A3l?%~89JYn>MU{fV^Hqk
zsrDls(HR%4ZJ1EMENr@@SGQ+b^tQ07S8LfhnfhgyzukFV^>?l(vbAoEOc<t=<d;v6
zR87d=En6@em{fIMTkHzcB|H@6G<cyoRY8tR)xA5xexa~Yp_1h^W-6mC`<_`}tKKL>
ze4<H@;M%;DwR&a9he^_|TpV$?a1=gw;+IT$`s?Ts-D^(RzWkFI$J-h+S)?q<6HMn*
zmmO3;eHNU=j#S}&JdN!)in|#ncoQ$%JmOx)XSI+IYQ3+%z`<D$%Z-33gN(>y=s*VP
zSdkF#I9yoZkibU3etd#s7@@C8ku(^pi2srt@pEEh9KJsegCR{Z#u%>e*BE#-Jv4!j
z^YM8&JATiQwYw{yqOy#l0I#)|&wn0<{dm~g#nINy$D9AZZ@61~dwlhk2uXn?M;WRb
z&WuM2-;TeuDo-OB|F~7l9YX;5iiW}VkZ=rup@*)RkyIFpFmja_SQNCi>kbvZpTa9^
ztZ1r@!}&0j&;txe5)2XeCLS0&5;hb7N5L={=nHxz2Zjy9n#G*O_`|WkMB(z^;Renr
zaJaz$^|Sm(DAP*_To5d0-c4kVVfaK%PvVP&>k*<I8mM2Jw!|%54f_ygBfW85MOSdG
zBATbGzEwi-%=>mX5|3B@QYM6hrFfb{+4Q+dHTVQc)`vw21}L7$PA^u#y}0i@v%hk}
zuZKjtqc@B_|GHL;2exl7b!Ppn8h&-47p3a-7m6c6Qrz9toZ6MT4A;=aNA-v02rclR
zOxWrnMFcEfhIkigvRF{}Mx@0Dmx~4Nd8n54MteRT^~xsWMBJO8QL{T$car9=G)d%2
zvF)dEb56Cc>mM>r%FQpf*7uX0b>opBq#V;*Ng%Pitu48knvh#lEX%B38d66jK*jyS
zK@7VAK;nQ3gv3O^-+fge1pK(;0irOnzbeAF$&ZI7RJ3*1^*ZD21IZ6BKP`qDObMtz
zWIygJy0}|ex-iJe?5mC-s5-*@;6LGg)e#0Sg}z<>L*O87FZ{Q*N9=36&9B<d&i;M1
z&<_4p+yB2M^MBH+bWWt7>4;|1aje{ksS!=3+Bm6IY7d%Ng^;OBt*dcQ8JCQAEeWdx
zPR3>V;Ol7U<voqCN?CeqWbtGg6-L%#enqO*L`if_XM<&aCu#9eOYfQv;hM_lo4S+1
z^;ypDF^zqi^z0af^caq}mP_c~@e{X?VO^|KB}KjsW|^Gd`poaSb7k=KM_!eCvi)6e
zTAXOgx^-S0QjMo?r?#Z;$taMt=86<{w2f@1ZdG8~)Jds-6{bS+g!5f>8UtyY*fkPl
z){13d3hM=R?K3l#?{PZGKR;!1dZ6B`fJjS2gfx~;2Hlev?5&pcteRY7WqnL29G8)?
zLqr-7cjQ>>y^CIsU$rWH2NS;e%Y<$Wyy}n;w^M|&As`Jd47PpP*{%K`dHCaeht`U(
z@_>WE0#yR6J}^YkJz_{Qkl-?jg*pCp>I-7{F??A(SzOT^-vrFs%Z1n8*4+mhl)R9H
zfj7MQ?0xL_#~~<XE*OdLx(DhY_&SE?`!xm@&G-%G`wKjfp8W#&cRBiX!QK}akzuSb
zQntIC<Tph99x!K}F{~*KIVW4~HFjj=q6k*n)Jlr@u`jf;hPzDd&UK>Z&%{~X$ljXU
z`zlB$j*++f6TVNe8@m|o9+q9LFOU*FG2zsSykHW#-q7tHg)nS(&_efoY2OHtxF)=!
zpIbL&^j_m6Zf>S%;JU&yI<gFn`abE;db?QWC&muz*QII&xf^hf=M<(+T=03EQorJs
zg5INCIZ<3jlF;qFvv3LiWMxP2L5ldR$6XGF-s1%<R^nK~8H9HP>--Ukyr=xlG>?Z5
zEM>KOh)$Gk*>A^4n^`t$U2;C>+=DvaIei=D|G9JQN*_0lL<mJddzK~xi>{z2fCvXm
zn_y5}=D&#xS<U=GaZ&$OTtJ<NL<A3wE$?~8(azGJp9frhz&rS8mTz|$bZo89c-b<@
z*?Rdn+BsTV`q=)ga3G<<2w;Q-_(6368&uwiVnlyj{-221|D*?F-Bi|?FKd*{H2NVX
zFHg9L&U#k)Ck@nQkDS^pkgG&2sxe~Y#Eu#A*@<z~q5R`BL>Ew1P9dIo^DU?I?=OeV
z#<3G;vJSmJ_wjCiQrp!ISt?=jjJsDAl6f^cS7YRwC{he~G?(Le!U7HMeps?_?gtVc
zk#CY85*}?-$PMypPipAU<Lc>4lT1Hq)BW=4Icm>N_4$FppgYt(dXw$%`prdk=1es%
z@a$?bi+r}5@4A>LMh#S@z{QgAiFQSKpV6VNud7MA6Jyie<34ifwAjqHhz?q8!2BrJ
zxI_VYoxocv1iLoUbFN5GVp_BYTO`sdJ>U%mX3e6JYr)fbcI%rStYE_5|Dp#<^A1~F
z{beb`iX+SnBpQNOA#J}4YWp5oX+!;B-40((-q-e3{$I77r)*!_so<Gy=D%ut;?05o
zD9j%Ph!|3j{Q?AqL4cz2zm*s7{o!bBxi2s35I6%;5hIV0!$N`|0gO0C?7POmVH7-&
z#(0CpmY<*BFVe#2W$W#J#>?8)8~o(q?(OK~?iFxgwjjd80pDpdH+5ACvS<ueSvXGb
z3Qk*_XNcX><M#vN^m{8S?dn5vqW2$Rf~orS&gD3DiIAo*DB0z@hCW0ODDK7^n|gmP
z8Ko7V7A;B>A}>tsf17)l97nmbW-e*@oXA@`efQ3>T5s#b+0Y<KrY;HW_ZFf)>8}u)
z>e=_ME?Itvlp+H+FfcU&0H%xpC}oi5meX9=O#)5*Z^|$0DoS2Cr}B7kL|SLcZ4u*!
zEM$(2x)~ycA7YbmOY_yECB~2i11mY!3qemDo>SkT)46XD2JZC%eBQOzwi|{|-nNel
z3+G;`I)R;ToNwd1-Y%uebW>#tzv~<&eBf|g?8vM#=Zy*%!$n}sT#O<v+@!y4`)!%=
zvm=6r3cyyHe?!@ujU(jGxVaZR<mNotQ**kbJ$z);GmSjQNtZ?l-%&BbZ+pq@aocEB
zez48Ga8iSYA%q04p}sl3V1=*drQ6lZ)uTvZ(fb*_<4iT17K_W9Bp#QW2%P+>T{E{I
z^{zZ(efniR3Eli2hHGw1-L9@H=uaUkfg3E{H(f4v?}>QM-Lw)h^m40_!Zk&b``Pc^
zZ#7eCvqiZi%94gSh8L>_4BOB#-y_yHTcapa;nhhkI((sZh>N%xWE4OWf%`{jI<QUt
z+!!A`I{<{jivD<Z@M(^hr!0(wKI}iI5uV`Y*akx6{3qfe^S>ct+(AUWKOuUo;{i(G
zCLihteS{sq;P($iDh2=u`#NR8ZMNUOk6`!;B;fgr4AL(H&fRy@ELYK^_1Yl|D_hGq
zUEw})&qit@<ZX}OaNuvfk|bug4Y4i6puA$4+-!3LPMgh+UKi5rM9*-YQ8-HuLcw4V
zpZ7t}_M0${b?z{hZyn*hz0m01vh$;&VWaAF;Zm2<?5oGqlNWR1o(^bOTkl9=Rb^dO
z&GA+`8N!^9)s|P+y~bW3GA;wZG~!1PG9GSJ?Du*i>&kmg6<V|EV0xS#N9RwmMl3-t
zZJ~Kc5rQ%0@q`eO{KUOcHOW^#e9h<}wX2&P&!;v@w}?F1FlMyxifz0TXd+=P6@x)2
zXIRWOTJv3BD5gc5l|F|-6ZIO(l*}P~z!2mV>IbC|rjmRPDsw*!|0;zTcdHK7oiI=e
zt--?&=p+i{)C=MkqG1v|sv84fagD&hGlS|8_-F}JUfBg1(#Wml+OXQ|9`=pRox9R}
zsU6Z=uY~LMx}1kE&xO+|lV}peh`!0tZs@1DEwa=1C2LwYcEH|I=fmh&+?27nzh-?C
zOgGp;<|5t;id;s~4Oam%fxV;CGpCzI-PVpqsxL==)EN@xYNb}e)ys-F7MEqVNU}_M
zhJvi!Jn>}-zUNM8fw<djVt}q9#-M@?yRfWDV}tKQu8aK`(ChM~&3E*e^>)dmB*tu_
z+8}I%W4?jGr&^wd9&rVG=+a7=AS-$9=Mk-ljb}gey?_1!B|LGWQYw+f`uw8bM0=~R
zko-*9<0CoTtYSAyEEf8*rI;X|WkH^Uz-OU;kY~U(IdcE->A|l&^GAK>S)ut?o+&||
zg&@;lgNcvYL||*baY?OizVpV-$l=l5lZ4N1t6Sqos<;+^u@2HfO{`sP&PP($rr<%Y
z$bqi7gD*n;H&-l^!9!8-ShN0sEA`)9VZ#31mG4ZzXY}AJqjpqI{^{C^>2*~E!)&y|
z-YRDf8HOmG&-7P30hx~g&C7zOp?+{C140Sif11gvJ9E7JQJ^*~{YM)@piu`QM*S19
z%IL3%^&sNgKOrXm6S1=EuZV9!#Dza0%G3SK|8G&db`Jdm5!A1}vah6rb1W2!`j`CU
zrzLwe>IqjVoS4?h$+_TuUEumdo0tLDTgf?(mMMAHkBHoGIIZFr)twaL4$)-{y7E2$
zzqw-hj^$6ToDu>P@HPx`CI5F<e&pXiWpIs@mt}?ibF(s9q>juSs6HL3vgDJ0_Q6QI
zJL5KF-U~GE4W=IIznQl!)%l}&%OB>!1LtpN-#?h(hLFI9kVes=B2HsT;`uG#cyWuI
z*Ybk7=6f;L$2?)RtKd=gXoKyXDCC0P5qzKm6g;RObOCldQ}&N8B!71Sc>kLVFgM6P
z*pRVx^Pyg4mnMjaI!q~Rg&hthX+P3xdR3a*aY8G6p!Fj5WW0}bZkfQ7<{%-<$K22C
z5%gQJJk<*PMZ>rT3qkeFy~Qq1di{u%a!Q7Y751Fs(Z=H}6o?1fX!WTw@x({ciiC2g
zqE{LQC8pO9hiXcUPhO?nt1r)_3Ze}v^Pvp1O<vo4TVSj*v=ZA?Tu1W39nK!+&APh<
zBU`gN^YFONQZt8E2e7dtrBXb-6XF1S8q*cChCO(%tH6LsiK1ONHs<JS;`JH3NV2t;
zl;YNDk<&u*IMMjk?*{S6H<ZKZGMjuevZPvBlOrq2e042aUbv#>E9-@Cw9z~}eJt44
zi6j&u5q=)CO19&4=u@go<cfZo>BYjP98AErOp5Ov_Q;9EnEBE!%spdOFP#;u%a+B}
zOc^hMhdXcrq@&RYd}KOUq?>DpsMDj?d*pmpyR6XYO&m`r-sQ8+eS6Yb@oh&K&nMDB
zN&I~5r;hw4V?xQ%`!aUm*BSn|Rvo93q2v6#rmsl^XHyU~s~|)ZaeSZ^Od`~OL##@U
z*+;ZHAdDcQItp3~2Yr7ao`n#hIST$nwBHbT6&viy*UCm%2#BQ*C!C?Xda}#D+~@uW
zf9craMCr=Y6UuxaNoN&8Cl?;QNI90rPX`;ec6CU7low6LluYi(5a;@ME|fQeB)b!_
zF3W&?T9+q)d}hCK1HiufC~uo_ZB?z(?0N5nNBp-4Iyi!9X|JSjO5YQJg0csLss@*7
zs2>apRh%3P1-0byYfu7i--G(-|65R~{fP^Ph0HqcnytnyT<mSPmcVIOSC+OqR5NzQ
znceS+(-JPh3Hq25_dPu=8NV3snWZN*m4$6Tw_v<R_+rZ?vfxl{_i}&}+lu~EY-ZIO
zhLjG<rx}iFSe?Bk787msUx-{9<0bnNxc6*gGmQuw<Z>U9e7@DV*_iw!`q+#uZl+S-
ztZq5OgfG=ig0$P+1>zUz>F!h!>DFt0c-kxALqf`dem`a97lm9Gs#}bsid&6AS79Ar
zkt%mDu{a#pn3K7Z+AyirH9O3uJ<B;-TB>!H14UXM{k(#d-52d+y0+*Y&=YW)eSGbO
zS)d{*D{R+&wGN+mOVxfk&}sD<4{37A<Evb+XxHS{s}y=VZ^l`{>MRW_sIntcRMgr}
z?{ufGBytKmvm+xjMTf|@7VSDE!?&W^*eUO;wg-mCsL*jqTQuQr^`Bz!H99sGgB$j7
zXN7(bD_h@cV|v?O%X6*8_Z(%OMhcgDY4w6z^SXCg#wBDgvQ-a@+VI-h=Cclro*{c@
zkpedO^ir@;Uh0zC#3patfnBP2IHfQzA)8%o!fv86$KwR+bt*mGb<f$+P(}rhQQ1ms
zTALdG_ivlga~$LGj4|gb?WStCX13Zd96O%Imh~((tc$VBRVUBfTQ|h-wfuQzILu4?
z(&w3xrJRc;ixTX-eWneUA7*f^@zvR7+`yD#9D!~vf=;f?XMz*4r`=iaggsy*bbUZ6
zAsu&;hAmXaLxTKWa+eq@?>%XeMK=l>(ePm9(daS#&^~>6UJ(N7D#mR4Xg7i_wRJNN
zrM$5e#gry#I2qSa6y6X}(JaEodbILmPn$N6CC};P#H<;t%YGgmZ?)SG)g#`GOEjU|
zj9Vx(J_azQzv+-{ZP=iXBjjtX`$9LeE!9F_z56im&IR+`{LZ_4A5sYt;hMH|BtabQ
z`BvTm`0c!nLdUh2BCnXbg{shWU}<VIM>OYry4P)hEu7DiDtb6C?);09qpzov8aIcy
zJ~wz$BG`@SHP2KTI0z{jykl-aoQ<+F2yfV&n?B57FeWu_${;-`ZyuL+R(4s{WMpvy
zKOnM|{_&x4Qyz1!m^l&eq4=|FJcAB(U6b2>^xCD7#+L5~xzq=)HTsRuBrJ^29qBxp
zu*#eueCZ>L*_#|;0@lkW+>yTIpI>{oy}8n@zR|N4=AXx+zLk>PDKAkSG;YjbdVx)y
z{dxV%OmwcT5F=tf=!WO3c^+ak+t|66x6aKVIw@7fSFwz4sZ$VG&Za%=O0Xr5Z?C;U
z*TXE=dKyb2Ga)8kjCI!oxp0R*5q~8{h5NNtLqhr0>^p$X!&FqM95pcxcKD=c<9*t|
zj@R$_hZJv#+GnTW8b7(FIZS>lTfAn2^i`8e;p}we&}Dz7B`K0AYxWrZyPY3;jw@Vk
zmw&Lwnkr18p-d#isde%KtR&*r$+{k~(A#u`XU`XO*(8<*o|0>}XTBMd^?`ZYRH*%#
zp4}pss!7r``SpClKv&aG0}92*@17i_HJe~O$yQq+IsSgvC`#t&^<vcUm0nHJ&U3^Y
zQlDitk`>d7)a_4LVOIstv3RJOP|R${)xF(tl*pQ+9ytX&!N2EF`X$bFWPG!OKg5Hv
zLdo7iw0I)Yutb?`d#lF?W}~_>zL_{)@>u<WU=Hrbd1HP9<?sn}s{xbg@?E~EODSPq
zEiD>}!A^2CkF+8_(VNZ)v;b(yGLG8pi5oJ}j+okQ=50n4N99TBW#>B?zPgfw9e%ld
zu{a^RRILv_^>Y`OF^C2Fajj4<$(g=vd-@2@dUcI1d$s3zU>|i&Qev>hYXWbg{#D0%
z4#K|KV*8H)Xn6!RI$>yT+8rmlUk87I;b~lmW}ytE<j$ay-vo6R>Ian^NJ@^|U!KnY
zs^rJ!zbpB1rQehsFx+39z~9eB7FjE3g)H=5)Q45K6I$8uS03WOojJZKWveAzz;U=Y
zZ!mkl;|+F717fbXp}0b8YYdmBnoh^Kk+i6DT`}P_`RlAJt1CLSv#VkQBsQ)4Rk;V~
zt}|!=>c6>bmVAES-MU}h6_xw$ZgAJ{?y`Jy7b_Au6lv3oPA^$})B)3MG(z0f(LUMk
zCflLG$_Ftu3!47>7Gpi(PxYNTYK~XH4J_X`{!_k3gXO_l2=Vnl5ph@lhIniqM9lgV
z;@f{BVlDp-QB)2@-2M~d`acm%Z2yYr^0%nnC4Q#xV4Vz@<<a~D5!xx_d`%%(48=e^
zLIu(H6ryG|3Om*vU95vKF;y2jnZuO`gXP|k+ihnocMU>>-~aeCg};p+q2&1e(KB~o
z^tgbdhZm~u(p`Rxo+8LRggAAZ5O@xbAgKQqOsmBFAA{kY;}vy*wmsk<RD9ca$Q=QL
zDT0Ez03m@5YewAUO(NdvN1rjDB(l`HNz9eQd6issStlbDG-N&b9tW~-F40~vASqkh
z<K)nK)KosYyg*T9f|8*wpbvDTnA-M+^99a`O=;&ICt|g?`t&S^drG;mjo6P+Gww;b
zY)h2Vmi{T?=X4+R?;p!^Se{Qb_3<8;QNVTd`O-h?J6~rb6>AEG_`Hem$GHCkX`sL0
z&VKd}q%}aKUGMo$nl}@JwA>L0@iqw&zzOb>pneb$b~rf!Lj17vM?|nBR{!_|Q3OJS
zNPG2_Gq7;&(3yRD;}B2A<%!3pl&|a*CUwinkmV*Xx4J^(Dfk9?ckq>j*>;WP<u1#u
ztG~0~HI%XKQ(4o<NTPe{@8H~STS@mY-JDD&hh`>NLzS%MveJ9=n){&|1&g;_J!+S_
z*oKEt<kz~Y?Mfc6YOr-R5SCRL5RH`wKGEVcRI@z3H=9#xLYDlzl!g6LjBr?1?j}+6
zrB?Fm(%duR^dpX2`6r{#zDEjLM7d~ov`FvpczLchnB@1KR$cWLPCM5&{<v?W^z2m`
z1X@y{+KyYGLicbY_PMSs?E-wo{Xg-#12QLp1orzu=8$~J7a``BU;oOSm@YVg8=%bu
z9VlO457xZDGly9J#vIPZt*!F&zG*83`5JTnKCc|4j$TWTN-)C0p^YjYzG-%uJvFQK
zc56k=jg!cnmw2Z(<edTu?9ieMyU{n4D)@mS(ZXC~E@q-^IMre`Zv};${YHi&W}SM#
zpp>ljDqQ}CwoyP~C*r7Rx8a1E8@<0E_GH>lahKB2=cLsNelGr_lf^^;mgpx$hB2nL
zP_+22i<e`d3RSy_y;Xk4iCu&fhn_(xp?w%DBkxYZCeMaswvf4Goi(#zz`81#ET0R@
zj>*y`2B(2HZ32RIoEc7>@q((=>bTR?l}nwQfqS*K_x%&fZ@!?G>e0aGeqFxvENel;
z0ylIc56gG53z=&E=@!L~RI(MBnrGrYUJvnWe&g3AcoXaf*fA5@nmHrRIky#9N>osj
zt+?qFnC=#m>^L#gcOC{$s@R0aFU{8~7ZAqwlb!bNea$>@H&xUP`-qoLH+9aDQfr46
zH|E97x##gW%FG-oOr+E({coEDPUh`wh^#NGUNfW&ZSl8A8Li&rkMDM{yV+!oFYCb+
zs=s}7Q*a>qZfLSg*{%G_p4Vjf%6Pc>XRQx?@LvO_clO+rJi0iXZ-ld9NBN&)erynX
zrRZ4D`K7{^+<32ZQ8Rc!TOVj!FA<8b(g!rLnDf}+oNXDr{+c*q^#OfwMDXpj$NCES
z?&~sP4;}lY`v=i!#&^PbK8Y<fzQuo)_e5iYjq_;O?VLlbin}z|i%V~hkwhxFdm}2p
zbUU9Z2J&488RU|hDai|SUFd^OINCnBb1|8RBJw`2vId92qSWfpOF@!*IGXfEH(pM}
zouK2^7?5I?vze#~<Bc9t^n7Y?Y1V$czvX%7i_pEh3vss;1k|x$=<{P@?-`%F(DoZJ
zD!wviKjr5n&w>bCFdR?xQc(Utt<_wmp2g6@!Y_-Q52~A87!-}VzJPBU&7r_+^frl@
zLuQ?q;Q51QLhW3GSV`tG2inaGrO8a4%vx*u(<>Jn)l+;$<JW@dRQry<%t0r5u$t{P
zY;X?qb8nvr53Ty_tnW$1ZPHr4ROG1Ym2oRRbberRO_MQ~(uu<ceJ*ss&9M1Fid@pl
z(@bA_l$hno?Qz${ia|}I3g%A_I4r!P=J|Ne;uTIsk=0*2LcyUVLUpQ9g7cz5(a`wE
z{#mPJ?YvMTCE@~7!eny0m8qgP7FW`Ji~UX|O59t&zQ;~Tym*4JRpHH-9=VKl?^`%V
zwdo2D40L1lmlQ5j(1tJh5~#6s-$-d_eCm=TGhDeF#?4wN6o%2UC@WPy#>>K1H2la!
z;b@Hw<$6x$<Nz*(qV^f%*Vkn4lcjLA_K1=d<<aN#FvK0!XT5i8a%quP16@V~$#5|!
zCQuy(^@Cypm?dA@7xst0iiw2AcQKKk`b|uJEX26S*QwjxI$7y*Ik6Vyf}V;sDi5*S
z2-&N}N(j0_rdL7Jf3Kx7CI7f=Hq7yg>4H_o>d!hwPSjA(TLeP<^iM>hV}C=G&;St|
z|Ae^xPsDKhzasjBh;@HL)F=B%_;1C6*$mr15PzwBzDE7u$_IM{KQq|P8U3+hLHG2z
zW4&T&<XX&zf{FQh4D(A6Jth4=3I8qELdl8yxt=<ZYkx4;3(z8-BK{-Sw&0R0`u_l4
CjAE4l

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-encrypted-success.pcap b/testing/btest/Traces/tls/heartbleed-encrypted-success.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..36584582d064a6d2ea46e92c41b19448cbab74af
GIT binary patch
literal 64480
zcmd42Wl){VwgtKt?(S~EW#R7b39iB2HMqM337+6iAb4;K?h=ASu;32C<t?($K6mHb
zv-ho6^?tlmb%k!aNB1}9>@k>geQUbACKmz#1^Dyd(-Qyy1b1SIrB&~VkpW8JpPw6m
zI$}FEu!PK9X6O|hKoS5Df$S3jh`;~<oh4AoHf5(ayF|bi!rfzu=gCzNPfrwK000CO
zbR7^95()@}L%`^M@PGat6vQ9seH_RDIdK2E{ek<(9>359z#9PAVP050BR}r|Y}qAB
z%4@3u?;x3j!4n@X{RcV}1RMhX=CQ~#I(R3z=W|1IA_K(0sL$<xotvW|>%X2`5{zCO
zfJVkZ;RUw9ALk8uMt(+o#f1!@2Ak!%{U;(250&d55b?+uC}01Mhyw`(d<P>fLIN#~
zbwK=1g-YYs+tJovx@%U&Qg7H$W~jVH22PZA=QsfX%TBCLgieZ1asV%Y2M_@W??ml{
z25<sGIx#xoI*B?70XP86PUKEV0755bCwwPqCkcQZzy`<wq=Vfg(TUOt1z-WB07L<>
zo#>sgok*P!0BEqou>lwWcmNgv9RLS_0YCztAiyV*1t0>TAOS!K00Mvm41xkc2H=Co
zkN|k#$q3-BaDPpQ1uw(~gFu5pFv0Nx0R}(?pn<_C!3IJF+wa+GH*){uhyUea4wchq
z4^R33hlgtkcTea7&;Wv`K7UvZ>;o~dcSD{L3p9`cd(ePi?LQHrmsHN45l3eJ4l$7Z
zcf@Buh=HR~2ok6&O&nW+Y;Qe^*DEpEN`Ja)hkUY`(XUT!LC3biG^Pyb!~y_to`BDH
z<4+U)`KVwRq!6%;0su(902pCV5DY&k2%0hn5&{ST0g2=i0YZj>rw@|}yFvy65upK~
zz!+9U5IhW|Iur~hgscK94hZYHgMf*w>T2ZdD(+xMrr>JI%*p_wdmcx`q);_8adS2!
zld!U|ay7Cg6E|~qwKBIdF>*B{Q?;_Nx3afj<pFU$Plm)~`8SBTt&xih87tXKXDd4+
zXHPO&dsj1OJ2O+OU+c`A-OZfI#6>|QxX7&RtRPlS5DzCe2d@se%kkW0V`JrI<<bEu
z{pGaks;qb*oIf@~ee>oGv#ph_(Hk>cS7uW)))yeke?KTZ5C_N6!Nt|i$OXKq$X}*`
zf`Al%wFnRz02u^C1%Ss9AcBBEK!b#NcbROPx?$Pq@Q(}xc%+~?E6{RV#?gGhk_<0B
zpWQmqQ^%cJB!h_NG0i)@o|L|_!A1<U0_@P~UBA#$i`cTwP$nzGeLwzvo?DfW6~JsW
zPeN$S`!y!cBsCm`Ps6OvJb3NYa34JS8MKBEF!Q$uFj*gZ?!%<}&&klKS6-S_3*PDY
zhk6p$lMTEfGS+rKA!Hys<7&=_+go59GPW5nW_lY8UkZHiRvz8DaZ6p$j^b3AE_3@~
zAO=ITNi1Fv(PL)oO9<Cywoma?+o$kyXBHGoCqJqw581(_zL@U4hBesGI6Xgbr=Jx`
z!|B>wO~`!NqKaAg!IQ6Q^9=+zEP?q!5Nn_yh~-~#LW~Io0Rn&!!FDG`g@S^FfGh!F
zK6hR~A%PHJ;22<l(9p1uKoIfsAPN)?6jo)Zl@>fa`S)e$$D!T<Q^~ZV?kN!I^RFqP
zz#a_1+85)PNUQpoeL-jgcQs<le2l^<38HzPfDT0lA_@9W?*<|M?n8~|sbo+=Kt-_Q
zWI=E+FcyJGKnNhX#}9)DJ`of!u$~(T0SO+U2QmM7NC+Sfg{7;jBOeRPbNIMC2fT}m
zEwhP(9gCxbt(A!<v!kgwDDdjv3m`y&dmtJdvi}L|e@DNSgFTt3o2#XRvz4nS2z=jw
z1cB{pmR2rgCjXveM)t<Yh0Myu#m&r=%*e#V!PyjiUC3M=$XqSW$o{+{8b-EOrbe#M
zfX-%4ZdT4_c4qdjE@Teozoz}q-lAlGoRSed&(_Mw-o%W|!QR%B%-q5G*Gwz$9kVwD
zZ{_Ib432*@GAnyB@UuDoIrk4d@LJF3Q#gX3-jmG1*w)J8*XAzFAkJsIl0q?q7(w(o
zv^msaRR1!UiL>qR<}z`1Wo3FE1vgOO+dmBk1VRM{g8V_ee-40vVNCzRa4>Ok{2j!_
z&6vgHnI~9TTz)YEi-{3P?B7cv!nppm)X2){_m$5kc3}apXZ~Y7^B?P(O^m<?as^WX
z_&G43h(H8kcz@^cztRAh7{N3E1Yq&;JFvv83=wC$8=DMAzRdQXe`bDI&3|P6^Iy#W
z?RVzy*8NjUlz4w<{;8r3buyB7#@bY0;8DbGQdNqNFYL=#d?R2k1wPo17Z2#G5LVhi
ztRdL@O}`>hap7LRmavgvq07x5`tDKbx^qRnbgJr!;R@-xn1U~2kMv_vGW(=FX`Y(j
zASyJZXD(0Oz>F5@B@A@e8!5GoPjm~YH{u>qRpDGAS^;hAHJozJ3WIx$Q4*bG_DLbD
zSrIeSFCf#^vFrGLaEKAB66XuHNqZHMH%lawaERYzZ`;|R8AoHs{CvG`c07$>sS($~
zFk(l7kh(ux?VlMnceuB<)%4wki=a}5*zSlBt+N!XMJ(aE*<=M<(AJI>0K)^;Bo0sz
z6wx1=1jPHR;i18b<og$j|Nlym=zg&YSdjkjn+sMT5H~A`je`xu$-&C~tU!P5{{Kxd
z|1Sai9NAZX46ot=Tb^h#aUp?+7ZRXBn(%2Y{Fd!y-B)RtlPy>SM-;Rx;?6NNE{;$g
z)Wq`OzH%)U;bxwl`|V<?b&(=C_s&H7EP6XdVS6JoghlO@DPNOXA*sh(@>h7XqoATg
zSbKiQ@VcAZ{i7fOXotkBf+YkH$vc-v*r8d2fJ_Q4l}|7W(czR<Rh#s4d%;s}=T3``
zI<%;jIy{b&7{VaMQT|HYAE?7QrTQ{u)kZIeIYtHax)FEKI%D3SKtdWn*4PR;qZ|>5
z(+|p^X!7>3k`JJDF@`^?C99CC2(V(j_uuZ!Db)V99w&72tz>Q1k+rm^cD&L~l?CRa
z_+J7BtN>GgDG2qM2rz-bCn#tTB=|oN%JTr~^8i@MfG~d%t^cY?e-$ky#AAX25#2&u
zt8mZ|ho$(0=%+J~`JZeBW<DK|7C7wwC5T|+Bm7(91JfMSzb8V3k^db>xtP2Bi_vud
zU}iOt3Wz4>MGocvy~g%GCjKu9{}UX{-vQ6)WKf=<Hz2pa>L(Cn{{LD%IsSYwu-el8
z-Ge<V)t`S2{?gpP{FMsk1jrz8LO>2LD^wU^zls<wv%sntccr13xAxUobGKgOJXF$+
z|Hn&GsOYU69ieT&r_hPJCo)LW;R=Ygz69s%e8riSoe|;OsJsmy?&3b>IL?`i8G9J-
zW%BuPji+G{h3sP_)OqNSveRwS9k+PJ<r}FhF^(%qEhKd0kgC1~eW4p**7h^=Q-hiR
z@3Xm(pZ_iQI-yI-8-xr%BQ5+(HW&SzNjxLEf)NQJ0l(URW)YCcDi_aMGM@jtmJCAv
z(h@v?ptJSwTC%pFp4{$A<bAJ*rCjc(F74}mQHU%{lDu<;(KYhqUi3nG;@pk1J+(m#
zXTMC(!{I;`RJjMGI8q9+aq<}o;}TSjE*P(*VLH1cAa3Bodn{iWzJK{>86n}kHwD{g
zRn?UneT*wRYg8>MW57>FzN=d^axuHh`V$e`h~Fz|V}HKYKk1Y8hOu!<iK$Ox_<1^;
zUt*q0d&{-i_~04nKDz5mQOc}A<eDBwz|S~oSeCkkj_N!=19_bZ-E68b=vO*ckY?ht
zPQ9xRNgOtpgma};3Vy2laWdbB*z09(x#S2`i`bDSB1dJhM<ZDU;yayZ&E!=$qomL!
zngrj{niUCoX6eC6&{b4%qBD~#HBN1#3F(If*LHu|oa%dkmv@C<KCS(VFBE{Bhlqc|
zv)%ipa-DL~XgyQUo-9(9nbNw(xJ$AwyE3}?l!E`-cRhZ>3;#||VPneIKrR^akY<K5
z%O<u?J8%BjHi&N74PQW50WJ2p#f@g_Q*d#~m~JsR{Q}A(0f5qw09;Y1)+@tM?+^4p
zHHI9WLdFr#QI9Q^ohCI@bs934yeFwy#YRq@iLb7lw{?kx`cTkC$zT{>9JFb{E+?_>
z|Ln-B00LO-6yhLmyFQ4Xt1m=xn`B1`mE~f6b&$<8E}D@awU%12Bl63K<DQ2<RB%k_
zZKsL9u_%jw8yPZt?~DQadFyix4iDG${?7%*iSfZs!I$Z0ac*3DdmQJ3C1Y*z@rxgd
zm-HezfpBHXuT{=F)62`M!W`GA5L4k<Y)FIh%GWN;vTiyQ4CYkd5i07$o4(pqpe(XX
z5Z)}-_A;9Z?Y@vW;+e*#X`-Gt(Mmh5B_=4Bs!^ishSz@s(|+WfCaSp}0C_Q`%=R{;
zFwdR%gXP)7om9;a<vSroLw!O5%18guZQVAutA|%6Q1k|SELwbNE##;6P!W@eUBrpX
z2<i(A&si}P3OJ2_zAEwmc=;Ib|L*b)FM%)L)PK8tgZjvT0WkV=`_EDepqU!t9}w}#
zew7#gRh)@=zRu5wl|loTdPJd$8yPMahC&{vx7*8~uynFcPW<A~KgeNQN6xLy*q()y
zlRvHnFFU@SbjVhj9zjbfNJhQ~hF~R0#&j%yEGWvvdQQ85&w!v^osc>zO7iymp5${Q
zlZ}J&H-2AWhJuu&`;$qB-U1hG0}Kkv5{eTMTmxk!^SN4|ErsZg3}6IT2cFx1k_wPS
z1x!=yFp~+tlgjWCm{ckQ@BpF(S^p*#NpP_v=J^<9;Hq2^c$g88Q=K1X0cd1?Vf|jn
zA<O>|38tj;{gl4hS0hNyi#x*Jjc{chHhzQeh`Cz*h?|<rB~&`M1jN?JWC6wR_30nG
zYU*}NH#%e}26fr%RO#>er?zW(U5nsQGkw0!$&1&gCSNKNMLbg0vOCE!ID~4Z_z0v_
zYHsVX35U*=@ZYX1G?UHh5xW_tE6v`_H4JBZ)G(B#11F1&yIA4E9QYPZCjMf(Ifpre
zjRzV2H*y)oT%#B4g2G){=h-gkAWKFp{_-ad18B|>OV{bsIJtN)0PSG+v+WeYw)=aE
z_h|pGF;SV6H_``=veUmrSt2+lB%cv)z=#&$0DEr#E6TK;xBmeV9Ay;Qe|Q7ziC>6#
zU~iE5$PmA*i;p+&kf`aWHp={7H6!9ZpLNTmY~&*{FM8Jhye(?{KV~VHzp|96--BSJ
z4;%#3;EI>%y2HPNK<asG@U|jkHu1Qr1aVeR<0)*xp%~$F9~+}92dqiP>)E^r&u6@i
zA=SL`C?j)pi!@m_8U~r=s_PZr*%%sA?61?<dfZhxPp?Q=bTv01e>pWw!wRX1D8?bs
zcKi`@r|Ncl@#1Jd#2FedFf1}Qcs7)Yl&`sE9gDut1HG}&`28nnahg|ahdOAvvonG)
z!RqaS5X(WXM%65qaZj^>pUcBWUPxay!@HAqiy#NI|7fPkM5gbjevy5I3nTjdO4mVa
zA!k@;#stfN4SknDQr&8uWApoh9)<v4gPlqaiINK<sd$inkB>N<OHM@(E_MXV&ST)x
zpv4tPGGotpQuFO)7ELj2RP(?{fA{gr(HFAOum*TPCI!et7|CNTf^sG?JS&voP!=eb
z6;Z7}s#i(bFW(F=XnuYTRgDS}y?J%syfaZzm9(>#>Pp1HFU}_E0{|LYr0phL<8{*-
z11+$&%j)7veHsqiT{PMF?aTsgZClp~V2(mL2Oo5zuGSe;r)W{u9XvbDDj<nGP=;Jt
z{H!C1+NluPv#N<#4fJcF$!8ykk+w3eJc~^_)(kFQnTQopF?XJ&<9K#DwpcEcojiQv
zuak=!7KJr3iXeOx*GQD&RnzqCYBIr&KxKCF#W*4C)tJY}SJx=^L9nV^hpLn@QfO}9
zr(o@Pa;B=N_V#^2QoQ|+lR5=8_;}9A0mc2}0>*uQOUYSsF}=DkV;MQ_a4{=(R(eCg
zOO8UR9xbE~l%oEZM{EdnF9ol$_&)<wenR(F<7IjgATpz1Bqs%H$kr8=P`ZmB9iv}b
zi*SLUeCW@KrP{M_rM!^ecR`u}ospo4J$u&g-&Go2@pdckcMDS+%AKP$h*b#bM`3H)
zPqngIG~{lLdKbx=cfXeb#Xlxe&%X=d)o{UaYvt1v%S866M@y6ED&>XOW*l2~)AvuV
ze3<s)v};2?r#>J$?@j*7z9Pg&q%p28DZ=mb0z;=Ffg#gV`;OrN`ONSNRfyd2%ls;0
z^?d4lKipP9^e5n#6L~A41`AD2((nX7aWV)O#Z_a%+mXX@ZP;(#y-F_#raFkvrKNSQ
z*5HCv1dd6qz_&7r=h}5a$tR{yjdpik1J<uok(4xhB5V%E>LJv~<0_rq<0dUOoH;)`
z#OToj^?K|blRLl?V<-*4{?zCm<-=k9;}Z&t_J_)vvc{yAcv%~5?J8r+X72n|L%35{
z&bo|&UA0@nmHC7iR^9>6@ohk|u9ok&kcRZ3BdF#`D*rVQj2S11H6k>g9VztK^>@(?
zm?Wg=ePQNVCM2nfi^qACyej{5`la^;YV)vK*F<<V11lealiFd3Ry6|pta5nyRSZOh
zO=%S<i7Yyd;Ro&5(7_rcsSh`iL`$(tRLb{@h?OgcJUqU<v|aputpmm^X07>T8d><#
z=WCm{J<BRCUIz7bgT?6`v{X|J#-&+{_l*N=%lswp(tkj9nIbm_E*(i;`O)dW6(TD7
zR>Qr(rIcv3?nx$Zy-`I&Zdy94H2t#vy_&i*HNwVF#5vs5qjAX_<MfIeqndEQtu-WJ
zJ0tQ_)dm{*>i2{WjI_-P3MrJX9VGLb7{Y3VPaQ1u+1CN9z`8rTORKXvi{c0-hVr1O
zf-9oo#+S*WUO(uumvW$oW-@uQFhQ5c^#Xh0!(<^*Gm;?$I!n7_*K-AoMop#sVlRYN
z==Zbjoxkp($$Y}@%Rx2%@qLL<eD2Ga(ec*ydlJ15n-7;WF1mh1=`rXIT8m_7guTtj
zwgHz^sT|u@0e3lU+rhGes-G-i&9bg&Fkg+cXvo7d=veX0w#0mlPAQmNxN$02q|wgk
z0YajaG(&cvo;CIvSRukulUiG!Y0sIp`8u`xv|hIFV;OsQ=XXTKF)!`D-Bsycp=#WR
zPA-M1J#_a;RSJQl+Iwbxf`4ZIt6$7N`8)GZ+5gG>llQ+f|2qDRqEQA9*2L7TUgkmO
z;fKZ^#P}&+dpE>-YsX{A2tlYs2IVi*B_T5iPcg~O_Np(28&#+&G(6Bt$efOGI?(37
z$r<_IUIcAzIrZc|w5^^it~0SwG)p!eKQ07*pX*}@fL#iVJ+kh;ZSI*0oq2WQk93W8
z1+U~(6?mQDn6k8LN78N4-!lyeBn7EX&g7#U))!tG7Avtk&XH<l0t<T1flFj;yB0I}
z1}%Yk`4Apu8uw#5b_ObBwRalyT1gbbG}^&xNU=Ba1gUVstY>a%+g+v-YMS&D?viNj
z3wj6N$S+f<UcgpN(4nj|!m*cLm6n7Of6s$gaXg;ok%lRRTA6dieA&JPS(Qgpu5apI
zA>yuyH%$K(XJ)%;4oHit$U5`W!R-w7Sgxyyq6SuSp4@-@ZROKD8odv23L-m%{#Qxu
zL23d7{*^juYOZ$dKLwE9_|m0diKL6rrI3u1x}CVCk(dJIF6LO;%5YkkmRWQy0=ZDW
z3wuO}@hqwV5Qnca?Ckye!}os%hw3V9nbN}@ov19r)W0#YYWYg?9-!7lGEv7s*=`<%
zllb)vrqvXXMqpzUKPl|)+e<8<j^m%s=P`&Nxu3X4Lt7@`mL@A<*@4_ulrf(VtY$4o
zvTv?mv7t$$-!yNq&_5APO;}PL{vh`db^_8lpV_i))c+R#i2V6uyvA9?PI9@^CEZk#
zr#1_}{Rzh&TxUqv6!+WY9mrxUc2JZ4z78`r-wcw;)zx-jbkz?L<EKQjCJx*c6*w}Y
zw8pQK0Xbi)ao~*~&mqLxF`@`A*9mh!TGB;A>OA=ZE8#mpv--gGR4FoI*0N-1+U=4l
zk3~fdD~fl7#{5Qm)&1e7s>Zsa-$3y9-Rh=v{k=(_Wrn{<4Eon5r_4`N**Cb_X(HKa
z`?}L!<|=#*hGGRkDXe=MR3E<M9U;oW(BsUZ`U;)I+kTJcK)Q#3bnq}2o&sany@S}H
zP$rWbRPm~vM592S1F_&h-^(T^z?18Nv}yHHr(cQt=*M;}{{iBY^XslRl?TCzMz9pG
zEr>e@pZt>O8}<6xDg^UbPZTL-zrB82la;xUp|LGg(|?x)yxP2Wg4L)s(Oh*WhTnI2
z**$AkF6kEp5B)Z*Yv()po01;BY5mUY`13SZ$@eSBO9B(lj$cJ%RY~yfOx(LpF?4D3
zMs2qWoGSM{uC1I{$BJVJe9hjBVKNx@dZ6J@LYpk@(o79;wu2-?%U5hzT<Wom+ShI{
z*mXE&_K^Jo^!--IM#O{1V3;=T*mj}(IAnH;NLBp><Ahkl1@ku^ilUH)Ap80uT&&#=
zaYrp{m<}$dWXV$&CCuJ-SA-CQaD{j<20c;a`%RQ0W}gl`g6PH12_zYb^|xGTO&=;p
z9l7yT<T@>U(jGVP_qS+6A<KPJrAHBkz9|%om2$whz!WQ>r0tNlR3*@TUCFk*c4*Z4
z3J3>8@+Nq;c~~IihQGb0>K)i-vFHU!qRHtx7q#4ED8XWP(1TFaB<<;nd}YbA0-WFs
zB|l~Xbv`HTca0>mtI#=};4Xi>(+e9F(v&78A)gt1z3-p-PII(J&6Vg#P>l!0@n#?4
z1$u7N-jFZmF4O5<OjHStLdw%oMiw7ZT~+i6x?TNw^mW;!+M8L~_d{`*C=YT`T+-eC
zsu1L>$R_Lj*!;cLMT|7*fNDu5H1gOjn%q#Lo_Rk}w=4*+!tY*n2{R4vO<yc5z`i%m
zHG$@%Kz^@a#))~1oQ#p}M2Q)p*Zt+kgmQ(1$_w;6A0>(bG}O6ly-A>$Wt?)voAtx(
z*_9TLCilMmbXYrNZpWp9#W}h)BioTqV~MfhJ!!Si`YptA>2wor<xOhaNm&35uNTFl
z7*|6|8gn>8{k|}_BL4iEuWIBE%UHYxyXF|PA91AemqcWqncp1D{C}UkAQ=7ERAV|R
zZw?2XyvYA0c}W8&FH+BlHvg<8*T1x6;&&~X!}(K7Ji$57bBg?o_MAnii>;UE8Z6vB
zZWsnGZ-1NUcF3dSboW#5xIk?kT74+dC8I-hSYB7xNcvF36wjKc`8}>@OBViz>YKYM
zn8BDgLhiIawDiD?Zr&iwS19ZDkybdVeV@uDg;sZS1;0&?MKA9}xtD_)w+8O3mQtAq
zCdEQ;o8D!%SG+&iuakI9#Ip7ngN?AYMM(xh+Nr%8(^w@GLZv`#^2&5|ncIpKOjDve
z?_XM^1*g_CIBdk%N7ZfYVMlH*g@1!*x8#(ZE_Mv!>jh~;#H~YDX5FFYMKfc|N0jGw
zlLF%rKU>-=QwtWkpV69!RqLNlz!%=Ux1a2nFbG%s?7)XfM7gD6Sy)x>;o-`v@>yp+
zU6EQ+{wMd=%NP`%6*A8CwEj0f{OvyhfTf@$4k}YDbX;63fr+6WTNY5u)JZ4*W8Vp(
zCZ;)eZlUX1<6HCjhR-`MoM(GpJG~v}Q5pM)k9SjasY_fWfKYg_IF0kd<bs*kfz*8l
zi-Y{zyVbeK@Jh!vrwg^r^<huQ__Nez^PTtYyspNAC+n#3UC7IOQEGF-6$3z7JT>di
z`_LqGfc=UYwP7cxtSGgMKD+-71OCr#7QL`q374;^hot7oJG25D_lkZ659g8}sqmX%
z9^yqHX-&GcBYEI_w`1a9>4IXzWu533HAXS47uqtQV}f0>&14m1mMiQUoy_*fx4D-s
zzS_0Wub9v9Q|(NAw1OyPi;64#j-*FadB23U5BH9#%a*AoTOde8XNZUMxbASRWsG&&
zwMZHvAAZs;qC)45h0j&#Kw{cRfVWB+ZHiNEaTP2;Jlu2um_#vt>R%ZeX7l+p`?W>s
z{Ck0Q24vWGv)Anjek@E-nBI3rnzRm!B4fh3>u+r9^Ac~)qTi|CXtcL)=q7ku#zrxP
zuK&=}=_w^%yNFut_xsowIq_`^&EHcK18K&V?Sji0CH`}Ly+(AOAw${Kkg!t6d*0;p
zpMzPb0tpukfjgO}Gh9NuuNCcDmD}P3DB_7|OoZCx_n}Kzr?AsZ`q(bBIiyvVbv(A=
zMtxmGg%b+h_dSy(476lRKU0Mf|0uS5N>q}!MSE!y(jNS7p_;z6OE%l}v7piZgN6+j
zuIIO%jt&-`jQqE<4#=?!#ru}Mp0joej?(t(u=_|G@^huN-L!suf|emRwT2N_xR%In
zOemW3{@b6@Vrsd9n|k8;5h7Kr%4&in!;d6pq1!V1{NDS?LLU$=#<Gz2`8QVI27a0+
zq~q@6u6dPc-j`{ccQqOKiXG|a4}~>C`%g!%jyX=l2AU8M0n-LNC)k;jT!$$n9~&ld
zb32u7GN?Upl57Zg)kn|rNtl_@1nl=b;?^#S$`v$13`_ZMXF)?M^P*o%A^O5+QdHd1
zx=pUsCuW8Qp^kc+`6W^mI~P%9gSp-*N+Ecp#fuY+!hO^+4*#*S^w{ldGk1+xgv35^
ziMIB19E2)}{IyUgh)Oi;Rlnf}C0;zoI;_C}<#Ana{M8@k%TwiS`I8qkkdat0<JPF3
zZyp0CWBX$F@=D<QTwu<P9OKcC55+v9kI2gOMvSBz!a(1G5wf$M)-hy`c<`_Hwc%J%
zEdBHbvzhP-*N8NNI-6Kaf*;W{U>c%w)@drK8cGE9Pq#TM6wg{-zki&AN!O?zZJ9Va
z^z#}rVq)MI%kQ?5;&lA*Wn>K22%j?QV1aD*I}SG={wMWLV?{|STx-~X;CQKJA9k5e
zrH&0h#tyYcE?O*0KcD3*huf1GFIHmsk_?y!>|3Oi${0Sznt)nZgOWPQ*F&H&o7LNU
z<ZUHS!D}dqZH;7gAJsH8xXj5r-mQj`k+ho|a%dSE@lXXKPfjm4yyLslZ!DxPG?5K7
zy(*}?UnnI8t?vW@_1{kY?p|`VR-<ux*^u&RxV*x!Nf?>x<s%5JH)v#d`^@|m|EMLv
zsK3*a<#zC!Yk>czC5Qj4B{#pcWc+t6S#JMROYV(-*OIpik^ybahC?|F90F&q_SVd0
z&arIbavX)DG{X>paqC38&O1)NiNHoe;|0_T0!tyaMtO0r3hw$Z8HofBA4}qG(PFMC
z${&eq$FUtsRTTzJ3VhriOI0l{%Z!|yLcHpI6^FYzI(NTKeWM0i9g@7(I#Qf<`^rH)
zD0%vBSH|`m!mw2M&K1eI&e-JGV}wUPul`<<aW}dt598pNv)tz*@36SUiVGS3gn;aG
zdoiwcsNJYg{Zb45<r~FO-mHa#1`PT++GvfDA)KlWsxKaVW*#9Q&3Ae5#)92<i!0rv
z=hFszL??-9Q&{Ob47KmL;8CN*&=ey&=xaEYaPW=&)u`ISbgQP{J2^TQWI9E}e~j0W
zEn(1Hy~e288@8C0+Mx4NoLGe|p1G0NMjH7Ul~0YIG`6s72dhSnaqd?xLrWoyyV~A>
zNy{+xNNV0O+~{{$Ffgsy`5<0mDJ_ipaP#z@u~<`pN4J*-u?Gkpu$i&(+TD)%wO}?B
zrF$}*`^GNHreWloW!z@o3bf&;OjeP^8nc6d4}%E-1CVgQC7l}_py7N4#E!y*zR-LZ
zf0zDiK?6S#=#PQ)w%tYD<mN~sQg6<O)FSMI1sEAbR=)|Pg}XzDKi$n0>>zPTYwJaL
z2#8-F!F~);U{pVNgtGMhScG~>T|l**Yp>rLNUfb;*k8sdp6}<o5FHIOj_Bk_W;k4l
zfXL3oW&|Zi`0B)rQ!DVmw`!`QdtO*xvV7{%z{vW2ip<UOdDNw5q}unNBM{<eKLU9%
z<Mx!V(8I{;x^HQQ!gybM86~4#)+~HaDH{MbYY`x-i8WZGjJsBE+5~8sUO4rBlOLfi
zyMiTTTd@bWWw|xLJluCL8*;0UTw1;rRfyYBQ12f)h;xt{&narptsrf_A5}1htIf>t
z#R+OX^KBfpP%Ae)j<*ziH|l)S^CF5@9)nvG0_|0(D0UrIBUVemu3!mzXvdSCN1Ojm
zz{=NlRP0G=EtNgc_;;t4yqsF3$Gfw1!b}mFPH;g8A$L0|nb#6<`q;KqUm^VB>k&f>
z{MTV-Xn*97_?AYeSWK8jL&6Xtvde`Am865s7u12~?<~wYGDKZXd+WbDCZ7Q)P%}l_
z7&WJOj!|*qh}56hai~8~v9Kp;5mZ<Qxl4>0Nu;l|*eqeq6KZhj7qx}&lV#SET)jt_
z3zgWW3Hw$|bLv=*tO(PRG#jE`gg+pQHB$ewd3%aOWYE@d-)fDf8J4g4K(+cb6~eHT
zgkYzupQyklXHE0Y@=Hf~RIkheg|lwOyrqoVP9HpcBD2`#I~>VXHn#_)5Ol<F))|B;
zDe3Lk#ufNgyi>5}=r+sd{9XmEa1)SdxnXDhr&3JIrOrWbF$;;b+lVb)0bCr;G&yCB
z?p+P_-k)#8J2y=_EdzkOonLCoQ%B5>X)6lSzQMwL_YhO&hD=qxW+n*fETx$x8)-1E
zM_G=2U347aS?**9Z!C|0SM}-G6^6CoUi<zi;baa{g-?1PsAmHHG&L3U&BZmizLhdW
zBXaD@ze94n-Ih>Zhwe;GJRYi_k+P$%eSIdk@10LxE^Tj8ejoa)xF@g4hclaKlR7I`
zc@#k@{s|a7oA`+V?(BjDruYlex_8t_H<}kRRy`!NrnoHj7Bve|4PBevU)n&tY8%=P
zFa)s5!``g@Tgj|>^?8fLmeBres9qTQcIK3nJuPkh=i+XV%6RYD%n=OMtD!#hw0!bB
zR*0wO4S3hhE}0~ksK~529&b5(8j|H6@@69q6g%ssR%&~3<gj!GEne{LUGY5Cr@5es
z^|@AxEmy@ns4c1CkmM7xaQ;mdm^anp<@<+rL5^RGJl91_d`_Ef>QJY}6vURN7ZLRx
za)Epw$PnaOQq!Z9sP}6)TddZ#NLluHix!0r7fjqae|>Ilmhg|CMcn>k{;}Vgf5ZGw
z<`@3_JM#w>@?MCgu!V?-x$d9%jnJAX!ou&q&uY|befi_&1*J?#qL$uQ)Y3$ER;`#p
z!R@@p=$~gZ)PYzLF<0LhAna^|8tU4P`9(;f@HszA-}=zO2V4nylV&bTNgqI+?nv&V
z!JsKgwUOOV%JHu1W9Q<5AdaY#)FV+FvoJmdo4=+tD!Daq97HUANW-r=mPB@4{A|%(
z$>rUoogM4|(W%>_PkzuK{~@L)5->2QO&$a58a~rE`9*~aS{{F6E4KXY{2W%8nF0b1
za5LMPUSB$<6Eb0c_Z(jYqV?Jk)TKlH3ejsvkwof?^4t5efb<!+^|2J?PO~T(ygKca
zFFPryw5e+$+24K3ciFNN7&$f&-hFXWkM2-2R26|+YBf-8Eng8p!oeT7xGT|dty#h7
z%fZ^NDg(Yqhp`eb5WG?Rf`wEvZrZ%brX|NnXt3zRSx1~FFOIaMtzML|TS2uiB?O$T
zk4>re3v6I$ikqJpllp{`T(|xaP6pdgc}L@_5k@SW9{#Jgh$ZKnDhe(0_fV*cSts}&
z7V-!0&HOK$C`(NeZOFzq6wg-TCGhfeKD5Di;w-E1gt=Z`hQ_R+6c3B7*2TAY7<Qm{
zst7dH{Fva-KM)gaIFfT1&7jDAIK+UvvF5HHxB~KSS3-wn1~I<%z7=>y7=xJM6)%9_
zRPyAA_qJSZBNH8uPMa&J#?Zc460PCtaH7?DG{r{WjSouBj8}STo1<PQZ`E_EcQ{9y
z3IeOa%6_}rEBUzPWXyjyLK$5Ny*e-Vg+ryGbxw5V6DcCovR{&BQ#L@SvpS<-4V$=N
zi#V4fjfb8sax`&U>($CE-BB{q6b(tTYkfi_Mwrb)$W?JT^7uqG?c%@~jyDHHWU<*p
z9c^9HvWD2_bZn$e=DRf~nEuehJr>8GdYXIw;S_0k&_aWRG-D+v!r|8Py0%sKm;xh1
z+fcosq&K)-`0L5lS$ykTgN3g_EI-h)%ui*VsT)lmxjzo`8|Tc!>Aw;7+`_GUul5;r
zgI5$$7MF;nF)_PWSS$8Y&f)z;lj%o3*mZ9{=ol0tdTjFCs&(#|W5W_Dp+;R1NR@9R
zWE*H7GZqhl%TdKNECZx`u--e~kqJ@i^90<}Z84P*n4hc_a)ajYlFQjkQ=`3K&zST6
zFvEx))x+nNVbSmXNVFh%lE)wh8N58B_o4yzrdH=mUz(}02@d_~AP=vUra9UB%cFi6
z5sm{wzv&--ZrLR*Eeu4mjBwQEQ*bPD3kTovAOa`e(z~h*R*Z-g=gc}K=c0a+99PZP
zttC>l^LX2(iwf`@a~7MP`l3hWqY)dG&NiCXB{N2ue=J~Bdyqx<Q`ThL_o?$+ljm$Z
z;h-ZntRJRV(CjH2Hv}+LbdfKY>7u1YGHQvqyEXIaD6O_3RDp*6%-#?!1f=oOx{9gs
z<kobJTNTFwBJR5>c7T&|o#x2;#mWOy1HnOyd4lcfZfGsHVoHX{6!9fSrQ#OW;0Oqx
zkD+`GWB-u#st1pP$kipz<jL=~l|BQHJSZ;$#Qw_vzE=OI<V)T;+_fu3R_>dpm+n5^
z!7tN9JEWLvWfkFG9CLKXqC5T!@;I__?U|#yfuM}u%rdKabvZc9cU1>)#x8V10#Ov-
zFtd+UeW8*mpe^NPNUFcQOy<Xh9Gvp-<~rbn60@Jgl)4PK<$?Q5EBIqp*{yU#0bX$7
zGl@K6Dg7kbv3>qv#E5<C-bUpzU&&!l2Y$Xils4L@NfXI6W*zcgRQdp2gYmsY!Y}rv
z?rEZM)LbC}rg{B{8rNA<y%Vvo$Qrw5a8K<Rf_anPW=J}o@XMPpuz6<+q(Q6Z=Hx4|
zDUPThXa1<4DVc(A;wyF?ERs{4kHN$V?w3$?TSr(9c<l^_M<Ve=lX^zmhy3k<5&kjK
z*J{b3l;!a`iwFZV|KC@n!sq@ji`Yd0SET;>#?-$nQfP_)s3mv5v}E*mE!jo+Q%fXC
zf7cSauP}UrrO}>g+%fEKGPG*Dr4hbNhhIS}X!h$<o*2r=E~R!abr)*NHh<nxwv~Vw
ztVlwz*-7WQdAvjx-Zoy>zW*4cyP{tIS%Dkb;6mi5AH|h3;(IO`)LQy0$hMF3FGU5z
z8T(sF4*`$*$%G3ZJ2DVN3%YWgK|>CQZ}zC}@h;wUj)cmx0@glpdpt>nPrZLFZLdF{
z5A!o|6^ny4eE}CSB%q76UxRUT0GcyYDaQSXD;!{uvdO;Bo$JWkg;BP8V+}*;y<|N{
zn?dqQosFY2ho+`w`XHGzy~!fqvSd!uC*P9Tp1cDnjYSeUb`ZozbD@Xb@^D#ZGS1|o
zd+=qj^#>elbL!`5#7D_0fdY|cxZ=>vnYY1nKiOyDhU#H5J0_2XRK(pOdquzB)v80f
z69mr%8u$pGXEMb!_+(>|UGL}dye2H}wSj;q`QjKKoJXp_t9tdqy3M^{m7`U933YP#
zMeo3Au4GLYH?q8yPo0uc&bqY3h?Y)jWA5@5iSDacSR9X03Xl{YKAFt4a!(#rfRLJH
zD_oY!7*f_8$O07FS<iuU?)P_4)t8)YG(>`ouf$;73ou<LOc<2WS#o<=W#;I@C1NrM
z4VolAI4+_`JKm~orDp(kzT|AkSTV-E*_Tft90!0>&pz6&ZI2aKw5PsfULlK;)f+at
z;rRktA%#g(!^hC{`umU3<Z$wQ`?f0cK@N9`bDXZoflZyHneaf8mo`86vDybs*-5-=
zoP)vNJ=ztOt>}<eO-{ZK_FB!>=k_}Gj(an-V({~x5s6at{$@KLqVY8qkI3G=@J29M
zlbO4pz~@e+JDRvm_Fk<p{q*kix^E5I=}FoIHXtGkd%7%ls)k!ym}}>jx-*+woEyD&
zbm?^~`6Rd;9EQmPD@ZA_!2-_7p#$|=Z+?i`h9&V-EJ^u)2$h#8*_fO=qAiFhOX;nC
z$;gULVU0zsmGC-{J$?JF_?3}~9BIfQjKIr2vNYVAC-`%^CItGnIMU|3tav)!>)Z*B
z5FeWGqk2K5%Ofp3=2s59yHiN{NLg(dvLhH&2B5Cg?8pIv?xKhi>9MAq`iS%9!O-uk
z#@q8tJlDdgk%blLZksP;<=s;aNXPm<8S>zKGu*?z7F|J_F13Jp?0MXNR69kv=B90E
zH@r_SJx-pcoD{Fw_)%J3Dm!9>%XL0r#p7aK;jj2b(}?~xkrBC-SL=fxT<jt|Vq)KS
z^d4TVl3|LhSl936!Xh&#4f8Qd+eLQH;ph7SSwD?^sRkOi*eYl@w8x#6sS3m91sV<R
zF*UBMV5-GRQ+ha7bE&^03KC@@3aWIxgRvTR{{)2vwX%yFQtiE(>(=z8ZkJ>R0_N=l
z6xA4M^0~s63hJWFg}_TWL=qpRXmb}l)=%q9IXQP9L?XBQb?x-jb#?*hucj80bSiMJ
zA$Eg);`MkL`+qVXb13@Bvl+s$=K^*N$2-bz^CuzjH*m5Y*pm8r{&0hD6QjK`=t#{V
zln3jRzVb#*UIMTw?aMp)-fKFY=rAr3F-*_D?s}5kV=Sw?YWhyr%xM8ldK8v=yGl8?
z{E@nCdQ{E2*K77?dEpm5l>MXOS;1AcbDP|Al+wh+5LsVL{@TR$Br7G&b~So5P3;&g
z0p6nT_p#%0HA#fyiv^UafLu8Gg+WfZeaPu}>w-PFajpr4x38V*_Fj_;Xo=A9&%wc4
zH`R~-lpj(2iJVA*NX#utz}~jdA1EJAJFarSyY2M&u#RjBxyZyraCPqKEw5|<x$1X7
zjG@L$pd}~_DaCORoWL*_JC^Pi<A+Lb!w$!;zHpZGB&Jdlt08-UtPmlB@|C7vZPB-?
z^P)q#X=`yJQC;|sOALwdmdCJ~xa)HqbnZ^g4#U`YjE5x0m-NM{VQ?@x_%ZgQEnei)
z1D@O#Z=SV87|i^CuO+waf2So!pZ~5R)$-3;0)C|s{2jiL-?ilE^PgH`==-~t2$*{!
zs4+0Yei~baNO~p8h6oiJ7{zP-PWrSX4_O@}JMCjvlsS_^f;cr#nwU_u*gTZ4>SWG$
z>La8Ub=%DzN4}g<lai{{@usquOX2l4pK{J-*;VbePZ>XTZ(dh7WK|-~$|=|Kw6J)0
zFLrBuXtwXL_m*~Ur(k}Wp&8LrNE1<pDg0GDn}}ysyc?fqCHvzR&#o8lgS}+`{TzF4
zjp9_HmYHo@xt7IB*P0IG(<iN+a~z)j)ex_;BWc1O$ekPte))ZamFk)=LBlOQW?FG^
z*6zLKAb2Jop{$>Q=Ws>R;nWPYo#-m}FZGj&NEb6Xd(8njFpQPi@sFX0YI5q4vY_T1
zKfx2;wQL@{pWxR@3vQ&^7?E}%Xc*McsLxsse+H5jzs!9wnB574_1|1jv!;x7d!0DO
z%|@BGh&T0Z`S{93f0*3Pr#tU1Ok^slzwF3!vK^Ziu+Do660B4z7%4{j24xB1HFz`V
zQZ?*H6y%{+h{L}eL-(R^wP-BC2WKyC6$(3?v}==4BU5>_nmu2ZEMQ0J$IMt{Q3YQ*
zYl{QYeXMxJr%Bs_e7a@eT_YO{mbSO!Ydh3axt>I24Q5@G8KGjs3AUX@9)rQwqn+N7
zHr>Z_A!9KZ5l}^7%qa8EIhvrF!@8WWGhsc+4Vyg-ccEG}@F#IJn6oruWip>?!nKkU
zJsUl|EM8U#mxeXvuyn_5*7l}P{+LEmH?*_B>H}05rYPnQC_;wSR3=Vd!FLBg$WHEP
z_nyK(m?ahrBHl#?H_(@gilN`8cIWE%_QA?~s+`uv_lc=e9f>#`*Ic=w)ild4U+?3z
zOs3>HCj;AOFDf=^_=J}t;Jw*P4EE1Pn0+%c*aK6vVe1#+RAx*~1$6J2M&Z$<_4cg~
z4bKA)lea$#)3s?gC45>iC=9XxigFHqS4=Nh^3}$T!kaD^RBYL>knWeboBK1IxZ+H`
z6*UNu6oFq<B12~=n?4niyoTPgUdK3;;Nz^Od$EW^3fCuLj)K$LiJ#Son;r{Gm}eQ1
z_{HeQs;7WMk)*?3LW-jfs%fM+9(h?R9j3jt>}QFIK%|e#-RtZms)CtX1`Oo~7j3<c
zeR;vzwr8pO(&{wx%1UjynBR(9b!t-WzX@!Oz9mr>Y~cy0kQ>Zq?EIwHPZsS3yw}LO
zh9BV-ZpD*DSxPMD&<tHR>nuEAL&6OS-(C*8SQA*Y9w6@8+J77BJnyor!jv2A;3~+g
z`?dI(D#xR|*1gD+^zC{S<dtt^Mggvm@Ka^xRAEx`z<oL!f<BI3@@WZ|WqG|bMqw-6
zqOzg!<H6B(hcX9*SKSA6`&M4nGvl99v`&3ZupEcMNx>G{eRnJ9<N%>hR26a`Jj(GZ
zQkaBsQa<Mp-iF%t8MNOqYHl;XJe3@rQ#lRUndVYDdivf)CU!a+q!1dkb{CLyXlxBt
zeQYA%y)NV07vLTnOK-T25QgLkCzT!wQ^Bq#mt;Pmkksv`-iZz~NQdv3WC)8p!a3fl
zPB7R007)tYx8Y<`nnl+3>2W89h*NND_5}l5QDR{2l5_#3gsWz{ZaL&p0$rd#+Y^os
zH`R_ZOpdbbEB5{G3LdT_bP{YCT7o^{ea;YGG_{nmA-+YN$|wu{>qxXkb+rXpMd+PO
z<#CAXQ6m->Pg{XgI&vyUeF;GMYVENbw5N_Y<EBzD&SRydN1n9!F$S*A3}W91T<LAa
zb3kV5m?6~C`(h7AF$sC{tSLL+DYuRt+9mnBYF-n%OcU40h9@G)_K3{37pILa4ys>t
z1JhqEgUYrBHqdk)Gk1s7>#OBT9Xu`Lt=cyBt>NwvX?fPSd9&>j55`3T*G!!5Vk}?@
zpgMF@WTvrU_82>}G3nm#)?OBRN8}`Dwkk0pzQiQR3E$ek^jgy%kxpPIZIr-!){<}k
z%={0(n1A?p=D&FTC-cj>{LcKZikzRiJYLo*UaPEc&Ed-G!4D|E_9N5qd0=Rv2|Gtp
zdh<X^YS6g%q_9v9?<V{0XDY-gz1q0*<?`Cw=4cEXO72)tAPI*4*XtYihp$rx{)<vC
z>pWpgxSz5z03TyF8$6X3H&&soHUN>_{I`o-vd#M)%TN#Gdkt%(slpolmD3fiw)ZnP
zcVWB04N6wfPh!vHIgph}uLbSi8PU6G1unA@o=K9r#t)hgG!iyCa@|Drd!z^Lj9q6^
z)Uv{oFfAHf-*06<e7(07BOn2F<?(5}_v!3I%-W39b+<%#Cp2w2NBSUeR+~m@TTx9E
z%mA}s<XW=2OEX|Z6PU(}ZTe!UkIpj8$>G)_$Ok*Y9Ar1VD+hfM>|2{`D9_JLSt+&q
zc1oyqce}VIZ!$)VleIM=Og~Na1kl#o58Yv?)7^OJ#IO@C70k=Y14D~KMJ0LaKh~q%
z8K}AQlx>}@oaqT{bg_dul-@WcsNTc_BqPf=#~Gp8j4pSiR4x$P+KbX1X6t>D=OfU9
zGVk2A?6O5?`S}nEIeScidUvL9)G_@HUJdVqxBWEB`wG)bUgS-}&>x4xaGpU&O$cuY
zoZDmV1Iv_!MNQxo)m^r|8DWp!eyIPpSv9lKiQ^?>8{A{v-3@=nx;^ybXmxL=o&5Fo
z&oH(Y4@ldT-0KpwG5I3Yce6%4k@aJwq|i*^u6RpS)3{?1dW_EX0k5IILonf$4C0T|
zx)+dwZV9_8?^38=M6;M7-Id%nAMx0Kbf{%zl3zynxGynj%}UFpLoIu3LYB{V$ygvA
zfg*}@sbgoN|D*+z&K)wP*IIFt0DXAAP>_y;ckGHWaf?R=sa)toKhtiW5YZP6c#$?~
ztQfBzfTT_cYsliyPF$$f_~NtYLub-0zi}{eq=P1Xt7hxKVRRtJUWguvjjt??S+<K-
zbIyXUYF9i3Aun&?3Y&K-NzJfe(y|tUe^D*?O@90O<yF(z!7(hFO_z6$zyO5svmrl8
zXs@4;)(f=xr@}H$<PB)qTWvp;&)L<wu4M~wLiJsuXb5xQ%8ylW#SJF>4HY<6QIh4V
z8n@FVnbM$%L#}GmwfgLYt|p<@#Zc#~q|PfTnEE+p4_i=-FXvJkRuEMTt0`;}wG}Jm
z_dHzrnoi%9NSi9fbOv6Jz^hzYT(TUiOo!?kEFSngx`;8uq{)<i<|#jL(}5Tp5rtk>
zA@nwHGfvR<J{ox8EFKn5_l2O@0Erj{+UhgNIKs)oADUP~v~vp<j~A})b;g<(M{Nz0
z29|yg2Z}g-yZh?A?a3io6wHadOhlszWvPR73!7;2grc}O{Wc0swccwijRPmA4XV9p
zquehJOJ!QNX&Nin<>ZqOqt+)b8N3|k{HGDtNw#ir<*_9CA0iT<9hZEYAn$9h7G`)o
zcbrnxINKGga&X1N-W<!g%GK*uI4K$nnLm2Ien;nvqeFr0Z@6HfFc~i>H)OevYIr@S
ztRDmK*ZVc%du#o5xrU@0gL_4)_C|(WTK!v(YOGAq_~Nk@oP}`l)t)pHinp!kfbf+0
zrTC<lz1*X4j<#@;F6+njR$_#!1Q+lZ!>?~FQ*;kSPe^WoO-=6Hy3~xrEixKq6maOM
zN&Ywa+>1(~e86b9(EMpK?RLmRXRHh2oxBPEIzwX>3>@q#kBA#6)ZyKTY4wn)hDs$E
z{2x)7+XReF+b%KbVqrtH`JA8J5URdbase^bey9e<(lZY=Xn)2$kRO9o#u{MC=wm2*
zLN{O2uB_NEtB)Bll7YB<g-8<aJQ4TCDEq@XM50*94Ew0ImSx(Dj<Re@e+gYHm+|wL
z;^Zg~frYJWIdABrn3WfxX<rSD6OIPGdy5`MK=0o;9npRl18?JZO0XzVL()PXjjWMn
zeB1ic)><UHf$sZu!}%~UG*|eU`M3Wui$EOtyDZ`s=I<&}R`33?BK7!7ONM^el3SQR
zwIuxMcP*KLmb%;hgiDQs(q>`hnfc~h%mT)Gl4PIeVx@4=$A-@q3c5)F*#gbtuLwPi
z%MIA4Qf8WjXbG)B=LZ>#(;wgAO>#kcWi702j<^3DOfEbg=<a&M*dUB6e#uTZ+t|M#
zGjkG+<%<!=1(nseo=DVZ^(eY*aP%Yh`u6aLE)8BTT=7p#wbL=Pw<4HMQJO>QyZ0tR
zNg<8So2le6G>E|B4}@bx=wI!04X6q)%0~Lsl(K8ms_5Qae|$R%8Pk~pWPp+12nmDh
zTn3pgxHv&8xgp{kn9AJ3yu~S?N9bX&+lrUVk*T?{-e}OjhHtuZS?0b|<s>*2{UBsr
zY+n1L0NT!ceEZ!M(+f)AT+f*`?i0r8Zgf|ynIhyWGHe-@sE*!lY*pNb*IC<~Q?0Yb
z_pb|r<RwI9`MT$i0C?;&hITuD#I^T;ZR0-k61C`!!U5Zc0In8ulvq7DL}&EK?swZ(
zh_C!yX+U<)pIvcLxfa+hBsd-J2&dMZ`Y=YmCcXJ7=rLvi|GjEfrODRP40dGu-QZUU
zphF+^bhvjyVUT*IQJvC}PfaELD30Rm2t12#@r+vYe)Y#v##(O_adqxiRRsui)k<!^
z?rFxlVNV8xHHz}*3*`+ushx9By!zPs7^M8&>rL?I$|vnT9S<ggL!e9EGSYRAbCitj
zMXBDNjCa+ocpK9G-W7-B-EH!q*)2+~W!IPVQIQ7MF{L)&zF9=Ag-8+-F}8A`sCGrM
zY@4YEjU|HrR4y7rHRvsU34WRz_Bej)F<b8t8bu4$6P0=`CDjOFg%>F?r3J;toIua9
z9)@`;mP7w|sG7&M1cX*UgCO_gBpSDoaJw}>w-vf1BS4{U@vF=QFyHAX0#j7mYpBkb
zj@*?@B7(Ukn&$Kc8!+ur8Q#p-IhRUAEH8XD100Xmr3*{wx5gY?zSvKOHR@vB@QZex
z1{3D_d_HaLz_R#wFsuE^2j2y|kVvG84t7F0hTZ&3BH9Fh1(ua8=7B<VZwAW<Dnh*4
zG+qYNhhDiH3mxVmtXwuEDAiG5YL5e{Q7>yUeB+|xvS!$tp8pHWVs6&n4nOubBlF{C
z0IOj(ePCIg>K)v>U088hA!sIzo4Pissp=DolaP;Np&9Jl^&(7PbcW^C?)~HpY!5sG
zqEkgELhzGW+#T8BGIF2zy_mgYh{`9RUVLv(RvhkZU)hWZ;(Py%*}@AcF;Xe`11>V>
zNAi#vzwj@gmKgG|%laa$VUclhwA_H{%BVRNhH-PvRWtIRo#ZH2S@e$%nF<ygOjS{8
z@okQb5x9cQ$X77*TX^qt`4@iJqlNSM6=eO)Z0DUGn@U&85WRn~)iI4x=wUk|-i2Q-
zeiQStf}J7^b{K#p1cy4L1bAXox4Dow*j<B(r5lL<P!YQbc%Vxi7z{Rg_~9STsqI)V
zTkttN4A4m1mu-=Df80CKF7<{Uy1SomeoY2RZ9@=!3zik#vQ`*VH7Cw29T~Twwu3+m
zcT_gY>4=N4Bnl!5S?EMn7e^>^o|#)gHMNtg)8+r+>z$%3O_;FDv~AnAZQHhO+p0=u
zrEOH&wr$(Cr@CkLzouvA>x*-D)_Zl<-Y4RXcp?P(s0x`RCs-;*qK0L@vFmElbGRns
z%4MrIbnvj*KwOW}b%pSI^u&=Cf+W#<iN)&>A~R5%si0xY*gka<)y}q8Du820eaKDK
z)I8JsNk=ZJybZ8WWw31<?0cs0p`3R=pQs)&QfF%eXA#I2EhSAqdZ0T#zPjY+p_y=;
zI$ZIGDP@zk&cQk#D-Y&UZ>cc<{G~jfOz-n4n=%8*A}RJolHl*U%-^89g4Cub`}0wH
zN47kT0y%2oHw93<bc<aodbxg(-}M+PWRa{w1yiaC`ynsRPSJgj7Sp|Eq=yVR@&r1Q
zFL;atSUq<k2R{J<={fx%jO+JwAsm9t?#b3~G_$s)sC!XwjFi&?{VHqk<MD{RdzNsK
zTw~9N-qZeaN!%au|L=~JM%w>!$#?bt>PU6`w@beNcFE|!UGiQ1k4q>A{_T>^!r^Er
zw-FOxk*i;Pfx@ly3xmu{`D~POV-`tv#3ge`vp5BK5mdQXX&qI)ZH#jE%wgA8dAj0u
z$s750mH6qRV*qP0HdIb=R~R^6Kp@;j(=p@?GT4GbCL(xfTz~$|W!sxvZjZbMdRq(b
zQsk>O3JQ_Qj*-$V^OV0ARiXhW^g3>#NAm-hsZYfYLiB|f)^HzL1TBlQSGh5!b}?GC
zG4fJU-ks;d4AL<y;R(k?A;PRjQx>+X^XDXmfus|xI&@|GA((vk+)U`k!;WDKm<Zj0
z5dKMF8bq9X@pHtc#=WXWi3(b~)L7#nI=D`r#<}!ym&{@<O&cYU<T^hIj8EQ4L1A0u
z4=svAY=nn7O$qv-nVkvlUDq^G8ziH4ejscs(((Z}T;4YtO1V6f?`+Y_oL~z_L_(F!
zC|13z#wSOn;PW9bKYo)Vq;HIWvn#@xG%@dNG`!M6-lmOgr$eBiq3aRK-w}QScW=sg
za%bQ#m}BJu-5KDde1U=S<+58$G;{+IulI{J>i_m7-p#=;3Pss<KY<ZGvw+LJi1x+f
zfw8V)9L|MkUJo>aPRLsUR~Xq?idK3%culu<8=rVf^H%2+6Mkhm;bR`5;07Rr+m4NV
z>37?|S<lh{m8K0>@Da+TpRoh+8%G;Dj=7^%;@c+9Gax|KNkS<2yc%<|$`kt4rhrN<
zNpyYnBYFp@E@y5_@IGNP<|K2q`N-PPEwsDLs-tKK=cmN&Cq#lFVLWfVoaJ0*%Y|gm
zG=WNTax$x)$LT|?mZa2rN2+Qus6p@72^u{&QmPG6hy(TGJ3tCng8<`?-~*l*CJCR;
zU!aV956{HQlrUp(*`Nfe@R%jciDsm|d&-^%MUee35o?<{(WrK=YWC>RZAorYceJPw
zP{39xbWfjA7)}YKMa;*MM4Sy<rCYeS8N%^N1l+OL_ix!4BZ<%K9%C*UWAtz<FM2av
z?s}n$>fB-+ZaH|9oH`DR^xWEtRVaOyv(&eB(S}<3EM84KdxUsW9VaZMg~|cL>cg8X
z(Mjquag+|<=4;amn!(=KSm<cWshGiJ5*L&|JMz;l@h-N@!ZEXpFkV*OT37Y$0iDsy
zZ%C<_R2<bi`SJnQ8{Nd^Z+A)n(DfKLFy$TGOtYB~lh2uJ4AqPKfPeDiR#b+dbT}tp
zJ<l0@r%^rE;7PtCbl8eue=oe5b}5}fWGRg=(XiPj4BKPrcadyYi(2XV34a&F_Y}{R
z?{~_-9w8G7gj|3c?NM7O$ajvEZ_LH}6<O+XWXy17TEFhYTY$m2&Hk!i)_M_alNV@u
zf(f^`d$7^;=OichPqKdTJ#%Fq;v(Y}LKUl^|2YHgn+K$7&fKVq<|vhi?`A&Wtl#s4
zQ>)Nu-2=zwaL;1}oM5yhdA1+P&7krM1;?|4m01-=DizcG#&M-JqwqY@%O+RFljZpR
z?V|mi9kr5w2PsHWw;XdA0-}^`ph>o2maxfniN9Un2VY8x<d~m>bWlYL)Qh4!^jfX1
z;qogqRb^GO*mRT_YNLD|YuVmTIfAs!HMC1I5tX1)(9FJlOJ3B-reK!%4OJ~|H>AfG
z5|4b*VFnL=NeJ7MF3#>}JR=z~Cn5%6joUD{&^U?-?k_52mYGsA;#lWn4VjVV5o&23
z!TwWY0;EYj;~rfYM>{a{kIfbj2RU`<Msk&Rl_eF9HzA+=Wq)O&1f8LWrOa;iZKp5L
zAp0yN3C=u4F24tD+upW3PrbLWMa*wM7@W~nTA}fI8s(9ICaiL?UjCd{b=7bvYAzSd
z3Bp`3%BAW4dRsG&u(_Dml72Gt7z&oRF3R;?sS|rV#q~~;Z5|!4eHdWuj~0yz*6y^r
z<T^P+drqT5l-|iM&WIN%e(t_cb$!3q?j3@eG&#n)d%|<hOK_rFr@vexT>4*CgfhV2
z<RAGL`3peR{vm(E#Q!0`#Gg%zwCozIwg-ovPv}HE&RV1Nm{K5Z;dXJo;xX$Vxzh@C
z(q3~ID$p-@KyvF9E*Pn&t@YvfoIkb+IQ!&1g9cw4nPNSpM0zz9@3Xvaq-wya?VX$a
zippeS6LRnnB(l!aSI+q#%)xlmEe*&jA^e>`Kv&#Fij)K<87)HOY+eWS?R9{u+&@x~
z4RmjmIxBgDVf{d;e7Xfr(Ls<I+d@?8<M+{K@_WCH^-m{^*EBtYrVP;_4X@UDg)_xK
zkWTrc?A`_s6*qoVZo=FYgn4Yi*Tj)GOxzB6Xe;YNk|@p}A+pI-vJbS^T`gpG&YxYa
zhmm)TA+wWIDyPh6$a2Ic?(3R=T#$V7WeRF;fFwHczYu2FQUjZu(T9s7Fo&kBXmNta
z0kv4aL~4Eo^{8nrEA`|180EZNdO1v+*@X4t_UhDl(*cqrv|-WF*6CD-1)3)(!K5AY
z87U($q;I>lc%yt<)bQxPmk`Gx?WK2C0U9T{MHFnJyr^tMPQM=Y;<1?Jw36gE!|~Ul
zwf4I`EoJ%MiQ?0ag}04jDXEtIx<Y?kxv`)Kz$d$|RMv+8m}=jCMSsy}O#0o6cn(PI
zPOyVz_U6GiWxKMyzwc4$MVgjfN;4{>k~;olJ?iv)LDoCdmuQB0v_$_hg^837nl=m=
zveF;;t;946gWTTo2$%@^nes_M)~kw%x#F^e2qBitvt#x5=(lec+i8X~ub_93^&&lV
zX~HOUNACnw0D%$?)r@;VCs;fCES6<Grd&7=+QX!>4whRiHnJ1#K9S{Rp6|f063DQR
zS*V6-9qKW=$(SkSAug{XGBGKH?0e%g6T!eO`4db3-ZyRP>crd5H_^q3aB~Ak0$aK)
z4W?VN(Ls)c@MW1ejLlvTE;l|Xd(LQ1n{0B5wGKM#l8^daSS<GH2H{VTiPQJUvyd?w
zFEB>rJXv_B{@%7e=m@r7ku%5XzT6`};J5i>!%DtGlyCv8Rdg>fB!WVgD7f`~^d$;8
zfjQ$g05>lq2XdRK9!ZF0Wnhs=GDnBE!_r3S(?flojZOPS7IvfkV6bM$U(13Lu3eWx
z@J&86<TR#K#6>;q7JJgk@*3EY-iH|?RpSniFbHGW5^NNp6SD3_pDc@25{QYsj{Aa6
zE2Zj)C0Nh8%{D)8c92o3C-VjKlT<m^o}K5`5TgArzc&TshPZxxkNP;Cd3scl((7kP
zhPaKY>DX^(o&@Mi7FNd-4SyC1<lUG~16FMFYwB3nRlBgF)z?VP@FNS~V*mr&5~&s@
zO=r451H43D7f*HSX;fut5cc%kK2HdOy`#=++PpX`7M-Sn5GqO@7RQGMY@Xb7Ru0Co
zt&Wg|<U3?YoBIHm`NbqQF!Uav(-NxqTFEC}aR<l};kEi=!qP@o`huuqxfQc(z5_T3
z%IL-7g<MjqWIH?hZx9N0J0f+W(o%YCcd=H`@GD^~kBD0HL3h8UR?jabG=IPnDQ_6&
zmy)PD4&`;i_h|Ikk={2nJxOKRad{}cd51+cf<(}j=@1wP^4W8v^Im_(nVF0PP;_As
zR3zqOV|Q+cVajS*`TL8E!A;oePg_;3mGG=*_n0<Nh3>f20+(+F*#`yig<!0GHubey
zr^p!;?>N&HyJ1320#X5l`w&9oex4cGz4-Ya(Lh+t0{ZOXY9q@#pRA!L&!~&dY(1z#
zsl9^U&A>O_rj+}zmYKDNq{8QD7Zj_$1slj*h>mn(9b(@GzjA60K{A~Jx~#@xiw0<U
z2DYXdS??DV`C3&Ss-73t70q;DRnrS9u(;+78TlB`=3q7p`tUwWD}(yoYd)}U+H{^u
z4@1y;q6k>|?7R5CK?Cg-*`>t@j1_z>pSAhD#>JeO*_dV7E_Si+YmGoFQNnSkr5NpX
zoq?_rVJ(B5U#i=FPdfZXe#QSLKj7cwAO1J_p}zhh{};u-$=|-0(jFh)LV_k#`zZI2
zV(t<~D1cBHFt-sMO?4Z`-GW&xi*k%bDbFi*hdz|Z;{8PvJlLSO`_AICLvJdzca8ju
z>3(zKCPcerKWsDPiV_@21}*{+AG=-=pLS1sUKwP#%=z63nt^tV8Pd>VcA|9Y+X{Xt
zszPC$jC<lb)FaxZ|HKPS1)8gP(*u_CCCAJ|Y0Q>o7&R{gYXGu7bIZSQ>zzXMWbNQt
znL$MDHbN1=08HWVCXwwWw={@;`J24d)551*1M+t}7bbKkcOTf!oJJdM*r4kI493$%
z#WP8^5lvGN)KPu~@(WFAsChz#*~|EY6aObM%!AhAKqSHeLtt6xE@o}d2D~72tF&zN
z#u|VdNe5*nzWo>mq($2Yw3(_OLW-y7gY{QIy7$`C?})z3vJ`*?KNL7r8K_}yray^P
zk&a!5iy4cTh$sl-6fqa12%Uj_zeyQ|^x{wyCy8J8YY*&*?*JpbLpk_zQ=|8;bXA{@
zU-WuJ%a2#B)=l!6=kg+HX>$OllbJHY_2qx-KV*GHN7TZtTO=2qxv}HQ66`?5t2T~^
zc>`n6c(DQiby1Q_Y)M!XkrP%AM904NGxGv&?~C3!K){Fim|G3(C8H*YGksFBqo6&w
z^WTN7=Ahu}C_OU$9m|5W)_T&SQNAOMn`*eL3S)F1fO2PdP|dwa`WQIGNXO~)+-iMH
z;o@wjf)OdNA<Nd(aR8Gwa#<u{dp!6q%G-x$?$YjG?8b(4=}*)i+UG6okGcL7eNF`S
zv@Ei=BbwlTzrdlG0Nyjj>P!b!bF)!uHWLy4@H<?JggE^$$a3$}G8x>?_|*nXgm~{x
z%%;c3j%rN8%QDJ_PFi>90C@Sm&a+q>W5gXcgE%BLwW2G=BQy+Ust%ofSD=4?%B#MY
z3GMVO)Nq!#8wVoe>npnTP}(#E5=i<A?>kNvC!mUN4WZdFvOzE{h^fkdC2mxn?@xMc
zvypT>&$4w%0BB1KhFEwFE7K=pzc!)AEwr$rH;ZN_4-rnrRd)wx3R!i@!Q|ANW9_{A
zfOK8_9K8EU_I`e=TpBtY3OQ&3ENLhplko3%uWN<$!TYYUe9d2h&ks|sqIIo~^w5e-
z@sIm1tcZLjr?S?0Ay%f4DCBvYJEZrKJz;gW*(9A$VJbX0ZWvm4BApRj!-!JvQru!O
z6(`xkpn-Io1`3{Zh_tWlPM{4}+q;AiU~Yk>CTF1L`C+&0Sz#gxIbMDa_m>Co*qRfT
zA=sOz<m5MYWxKVd!q7+s8xiXmc2XXVQooT?^f70guHk=%bRGNq#M)Ublz#@eGBPLl
z1>Zw}Y$bmTcZp}a+x9p%cVTK7YOJ=cJwP<!F4X_@?4;-2Rk>v>xd-oE#WMwLjA2XE
zV@KH0zP9nK+Nl#oPa{^86SBKCi4&?^aEb}(x|Uy{cj+u)(EHjj{bowqQahzST&(#(
zyy!UH0JXz$h)hBgai6B3LxIy-7CY4f8fH;*5HGQBZ`_$+fuiIJ->{WuA808~t7=AZ
zky>)ADuh^=>{;FcJc5pByRY{3)-Z37P?}<fLl^vRet?^2>p0)7b?|csZ}><txcBvh
zc_w9d__L)wbC;e=(0**IQ+r5D<4Rtnd|uk8=ijl@HpztR?Huhoi5d6?Wg=tN2HI33
z3v#Pt@g8hbL(XxaYR+y}DckT2R*aziDRYyV_*N-Lnqf92%L}NciAYc_=h$IH=wNtm
zQ1dDI<BN>VtC%SZF`x5ml&Ejy{vF3If_$0!ZJ%!r_M%KzafTk_xDrgro%bi|V3=Pj
zARtwX{|%O<2moxuF~j!#ifO~~O?!6^0!x%h{C((vh#DolEVLN~&{vp{+-f&kl*zOF
zMG%#Z3fp@_mAqIge41|ysgT1f82#RqA|j+bY}a4pANWK5|J^_8gZLl)qXMX}|JS>S
z?0@#PFaFyle<IEPOf(Js+a(Ca|F{Gu_1`YRAa&G+m(#q|qaMg5Fz@*QI;P(m@}$r}
zNRO+wynbv*^@Qz82{Q9dTyOxLGXvAcU@z9E3b<C8hOFyAY_G!3$09YnEV;&OF0TF^
zXwV_D?9zNdq>;4fDle|$NdPN2Oo_B@#2^TwVl7hpXAhP=@6aa{<dX-z7xEkO6UTzJ
zMrWO#&cwkNN66y?XI<E<0QpX}*Tn&4%AEnb3(qXFFtQt+!=~e|mvc4Dj~;f=i|D98
zKm5`n%T5%z`!i4~KKriZj86vO=$byojMJ?g2&nU1;i}8q@{AaZStM#m^yjb!QB*u7
zv|1gSlqvH7`tvdtpEOJr$Legbf6#h&exQ(1HH4vy-J?zp5_TLkcPv;kR?A^YByEdx
zhgQHUh}QNt%M2Jv!`3PaLSn+(p{X|FZRckRW~P%nZv!#q@;Ly>%Rce`xH614GwAPM
z@8EKorL#Y`%gV3`%SNV*2K%+tYGS$>T_O%hC{_cFrixvA61ZihyS$OodVxoV&}`JN
z{E#rA(-tEV!kNV7;8pK)#1Hm<-m(PC*h&?=eaLi&Z0S?!z|ds?Os07fa~8M5rJh(i
z5Sdctp17BSf%8VAdIpu>p*c`Jv{!S9nmu`bMj&6@&2Xw7*J`y&e(bBMUFT>n`-M!j
zFbT>NgN4(|eX`oF(y5IUGA_>jU?jTP#r|oZ#pW^5R!OR)%QazB)o=7Bt7YaqrrUo3
zWw|^{SZ$Mg#v)(4aB$=<l^tWFLpw{Z4J#$EgHt;n2OC_rq)=-&R%nY%rY)^(K&KBY
z@0F=vr*z5bK<FWb2=ag{pNh6INs9m8d;%N~1Wst7X*8jQQDV;pO%aF0?|l01L{t#J
zPvkcds>CF8=p7LRIf&hI2U}2Tf4vNoVb&4dKC#okeY@mjf)mgeK-yi|VutmWdhLvk
zFCSU2pX5M2{!3X0BtGX|!pCCbHqD#<q9UwF;$tBX91?*zr54o{vVOdo>5z@D=-qID
z(^0GY<VC((?6h@BD}Hxr7Do`E3!y*VA1KMY6h4gGeNwh(y9oqr1cJL5vVC<72}FRh
z%1FjD5Y;uJ!_NuUhTw9P^UT^lW2x~wBbKbi#`m=1cN$^c+da&z(vp|7)Pqr(D&9`H
z6J}7TE=m{3glpW-#Cp|nK;Ft=k4C}>l0`p^Y<j3B!L<ceu@?gx+#)WHF4m{_ijhuQ
zr^@=3PJba#0m40btmM$KX`Ep}Y1{i9yf5rRoBsTo(g+qwTqrxs-;=qdW?vpLV=?G8
zrqi7jzTvLCg6bj`g*F-i`r%Km-`NVkEnxsN87^GmYA8rH@jaIoAl$6c#GWMXR2LH2
z3%#^MmjuP?uWd{&i%t&mcy2h@?-0x!W1@0~xYW;cdqbc@ez&5rzoVJ-;<fpl##Mj^
ze$wOVHLxM%0U_EI28uyf0n{xfqtjLnBUm@W(hU1(!UiZm(XY*4?;rAd=7?rh?=!mK
zJ+()r%Vw;TXtv+_+-{i7+;KnEfneW|6?}i=_H7;3zUoZ57^RBdm5MJmQQh~T6?A|R
zK<AQ<;-2_&fM<S}8z+E4ND?ohG)At>@ix9{y$qWK-K@@KD>;Z3-NRXqv$e(>eZ`m7
zA|UE_ORyqI7yM2*cbN?vBk~|}H*#ayw+D9iJScTOY)SvP)8LUawfnsPI<QK!swW?W
zdVxg7TF!e3(Fh7eo&IW;(8Jf~jH(J=10MeD;{X@N1a@-|IBT9}{Vu<iteTR(RW-@J
zT?!Eks1s5dObJSFV(^}=h#iidy0m1#code~1^JC+E&kBzp3wyzM!`mKlwiVZKk(MN
zjOUyx*Q+_RwfR1%@yNa?N%pjWB*&p{y|tvm$y^FaiL^uERl4iU9wmUfW*jGpTc(%f
zT6tMblOQa(9+<yVRhcD5hb=IglKGcQkjnncC0`x?%Oz-Xe_Ueu|Jc|5%O!uOi75Yh
z;{U#Ip$z=DO9ub#5;VDgT(aW&Z<k0TQ(0Ybw>45$X;kTzQh1}KPRpWLT2K6hyLd7q
zPo%^{d!Qe{Oi^}WZf$Ka&4KO{N&pddIL8r1UhMmMY|J)!*bgbDsIM1JW5-%+kI*~=
z_j%f~c9meu1@NPHZn}bH@9xb%z4~l(=&NCrCdK#aJ93}iCYzb}@y}b>lq2bkX8KXU
zSX6Q_i~dU})^-#F&SdoM7ky(jcxm}SQ@z09T`B9#1Xl0gOGAia<i^6n!uFjY0LCE!
zRQS=a2=-wd^{L6!pO>46Ij4|F9*li{aDyo!Va4ZZ8jQKSh2L``?}{r0(Pi@9Og?be
z*`$zyROoRFQH+9^dMZ}2y6c>zX6J~^>5OR5;ZIHwaBgUMk8nLSFd-L}$kSA;szT&u
z{GPH8OAaTBCR1{bW~UmyldH{J%_VpT&RkuP>=?637ZrE`3~E*-!;f_w9)nzIdAAH_
zt5V`eJ;GRd%tq@gT4w4OLL)lcgV$xfM@iLc{t@Y_@xNr?SpsxmtbhaZB9z@Pc)H_5
zUpL%4LYJ*6NMHq|sjC_ei3N6nN^8bcA$DS%X(F6vFlD=&<^nZr=%8_94`qVL^r)dC
z^sji|It{$b5Hj#2>5|*mDmwMN(+JwPFfsHI(^U%%f;M0w)vZOzik&OnmlYdmv<)*z
zSQ^4I*{_Q#ysYAv*P~#s$Fn}=Z;YtZ;YrK9o}Sg`XaXDy+{?JF@dpA`Sjd_p^s`7=
z5LOXwFc6|@{;cwER2Ieh4cC)KCOBR}$6~kd4IX*T|LU0)kGd_6z7bKxgzP8bjxP79
zCr?8C)zoFtPQuxly2m1ym7>-guGA=SX*$09X?vc)CyL~=J-KV_&0ea9<+`xEg-EfJ
zdR&s3J;?=B0hLh7+%zrND~&S1&SDWf$bip&Q>&wC&E)b!pQU>9*9YQuS(DvX0a5*i
zr>2sNSkNnYZNARo(kA!GZw2Zjvh~DAR66zWRc&Ggg!179{AG{$1z33no${0}aFch*
zwQdjR2nl0)Q9F~wg91=WddOw>%2^Rm_4wtk9Va(QHxzTd3=Zdel!>2eM$DX$;k5Ru
z+sU(O3d2w|sNqV^t&^dTk`wF^awO%rRk~C_L{#R88j8Ci#PLpjyt|RV^n09#Lgci&
zN6)9t^XoV8Ve}1=nmG7b7O159ZnN3DRVqX&;dB(_6>-s<V%^W>gSV@XXfI5_%*<i}
ziKP^rYS{RF3d$UM=)?}tKz!st#xf6KV1B$+kW;lwQAlSJK}$H{S(4?E`u0W(3YX7R
z2jau+9&lOd$`gXnW%WwIJTL{ROE8c7#3_eY_f#E5(U$!1aS2@CRRu4w(e&yQ%$vFl
z`$fe`<%kHefSkyIt`OnNHEzp$#@q&xLp5wF=&QS!Pp*uMFmzrQh%~h0#XmSj-ymR^
zv!+G$JL?x%BN`}P`0f?0J7u7yW&9JZLkWI>dNIzQ6frm~;IXmc?`)JBalZcPS`icR
zTpH|aOO)NG>DXSlldPW+_g?D|<lqnA-=_QfC@8iF0xAnfKXW|f%Q5Vsp@HHdtC7*r
zO%yC7e!2Y8Zm7sPG>9HCdsC1PCT9qPQ4iHx$h_mv+ZWe>S-Gk+g7qZvnEy4b2@cqg
zPXs_oq=oVH23CI9DNt&@Gg!T(kLf4sZQP#mXGYUK07}gL@TYM0j-@jnyJb?`PdtyW
zb%1*yri;$*pwqH8FaP(ji%#OeaY1b6L2Wrf)xp_JQ|?Pjbi13AuJ8TAa7u7wi0R{T
zI<cM$TYlSZ?HYTr8ajT1Ik-Zesly(?`hHs<G!YLE>2>%z{}eVT(f1nZ!z=uy3p*6r
zcjGiMTs^?e@gFCur9=-;a2oU7N|R>4`(`ZAmZAByej`7jrkN0q7cIg<cE2BmT0Y9P
zkUKXM>9+6)ciLG7#;4UPqe1=UlJWm0Kgi$YANV)<v7i1S|LWeq$*&(-70Exn%y}<z
zW(7%RuNAel5K4d}T7|u9OXTucx?w8)&LSRUpvFzkd}B5yA)3!_u!?Aa*iXXJiL#(d
zja>X)O%42k4w9fw0gH|v<qH)ysj==HAT2IY7!szVr>hX4(eN`JTGAldLW|RojWv9q
ztQo|T7KHMU5#Cpmg{-c%w`KmR-?a`<CxM%vJ^OWy6d0^N6o%dCSC|s&)m1iaB2&|w
z4g+97=d$DPJT0oq6E0JXBa>+V=6K^u9{Bwy5dinl_Usd6vr0u7&O1i595l&*0wre*
zL~17(aCQFU9Dh_`1Cjjgk!)9M>azlc_WO;ll(BmzSny_o=7eDZXTyXoKxj!wLvR!T
zu6RHZ{LAa7fV~8=NTX&5Eb8}3D3W<ty;e+6`;ngt$<CUg_`M&XPGk}3a>cPsx*3#4
z^2sn~CFjp*-8ec(>3uqA<dVge(2vdc2TCQ}Q_JmLfL;*~+2ETV(x1hq5%>|@V=s=2
zXrw+xnxQxW`<@<IZ&1pxyzsG<N7+h<Wf$+pduSqNL%G_`LqV%l&!rIB3gDn4D0s_`
ze||k5@zhZVA>KDF8Iq9vxp0OaZV(lxR8ih};&>Mj*_ytS*kaTgs?#=r{NdUMW@Uvq
zZJ@)5U%tSS_Fsk~hMdY8p9{^y_E}gYB<G_SfEtfE0_?{0gQPM@^fXWV5g&<5s^U>u
zUo3AA-lp}*gnKtd+kCa=c)-741io*0rNtFts1&|28;T(lt1AZ>I)wpJuiinK+Ay$C
zQ+Mmrp|W-37{`iR;ow=W<3D5Bm&#OE))IB5y_yTfz?m!+>%UFn#8QSPYE#-)_O@U%
zTauIsgqLeueN-lzZp81QTXzOc#6IrTy7b7hq%USMnvAQ@UQTrkED3zBDp2FG$Ev**
zbQBF@M<}<kMNnJy$S8~2nOdHV23gfp*>;g07!iju&kRbGc-&N=g6KD0(axeIr+1H$
z<8(xlYHg0;ENF;&d()3_3wFcE1SvIw!t-KtiEPSsp{{n^(csPE)d^HnG(jyZU>($F
zG|8R$mZoVe*TcnVTrJ4Olrk5NS@7P(xpY>IV&Sb`oL7C)6n!&%ZFzUnxX4Jtu(}JY
z^_O9kzG0QFf)uodp_^vvtKH=ZCn{iXotP<urGZ5;Q@Aznb+fVPHUzG(t}twNh&&q$
z^G<qeT*z*Wsyz9mWgC!Z0P5viqx16*REw$_wnxv&2ha~c-J-KmU&E{NaRtK-!0p`Q
zTghS$Exa@`#7Z!&6Wz2alSn~4fIBk8_HKUHGk%>gdpz|U`E(e5-$<f6y@LCbsu~o+
zG&J&y$`NAe%1|`h`C_+{I~}-AH3|9kY@Lf>TAssu`^dS-o2a+f)r;dHhXeyDaEE6{
z5QAlPDx&B-076F%Et9a<iGmh?upIrk8C#?f4b6DOPjDReL5Nc*_kfL)aVcD^EO~sl
zqf&|%FEv@GTe1lc6IE5OLfz&@^EZI!qNw)*-O`xK3mo&i&|57EZMVUR;Vw_h=mf8M
z4@U2Q)p_`~zyof(qU?6Jf{{s~Kh0_xn{uW59gvN~fk^1x7*Ah6f7d9O2q`Ud6DeUd
zzxyMFu0NVHRa&!}$jt=>+84ytu|7`GSB{0$bJw%|*gKkyaMjEV(X<lvZd+2fYRW(5
zYpL>unB*|TlKdHQ|KL3;je^cGFB`Tcc~8y2HY;%@Xd_qe4qid-PryrCd!&YB`kBkG
z%a7VR0ziv5H`RBw#Ao#yf_qC^wR&;Juf0w9o*9*UU>dO%RfiGbR=IuGQYeNcG~-CF
z3U``aw4^7&n)%bR3h%N3P`|MII=pDZOh;+&o~#HbuU-?Dq8UE-i+~V#+Pof30N#rB
z#YX<S23$%b(Q`4WSaS!i23}IEs7||!WeG)bwqM;%<LefGk^lHVtBA9d|5Zi&32H>Z
zYxw`GBBaazvx)%y+a>+~b_rqjKQ77mf4$wv9ml{@s?EW<!ryjrfA*)V!$>QohU`N}
z^!8#1#S8&}pNx5V7M&pLnFC$~XCWgQEygQ2Y7_ciQ>$_G7g?b?jcf9#+(R@;RA-ff
z5pRGMHXj!a7(q%qeZD`NTMo^tMEJO?s3mGV0~>uZuQ>Q|orzOGqriH=2dlRL=VRN)
z_aO7A;-&9sEAYe00jJ4e2Rz8%dQs$iehwC}4;?p&tG4v`fV?|xF^@poF286+)dF65
z4|c&dm|5%VF<gc5K_w`h<OkqIZu*}Dj$9)WQISwUPl6c0E0aLcZbn`QF_;B!`3{CZ
zi(<!_P$8ftL5#WsfZn4JCUg|ZFIZAsPEND(*hAOoq=O}<0n6#z?YSb75O;5S-}cEi
z(K4KlaG9W+vWo|g>o9@t#mAvf5@)uA8iPDVMcDqNDHk6gl6Iplx+IQ^`JXm0oYZJa
ztP>td6AnLG9)HA5-0IDCX;eA?z+&Sl{^1<=zL?!AEV^Bb3pOG`QxLtRTEV}U)b(V-
z&3|>kpB`>otu}e16AtSf&WP|8@hX#-Dov~yP2+7sl+v^aXc$WyBA4Lw6?`{h2``50
zkHL5>2_d-XCUxUV)%~DyD+pCtw33&`?J%iof~~po+)U44;|fCzAXKBiPLhH^n4w+#
zt@*Vp%ZYOO(`YJ}{~mHn%pXL<+fG+q{DPFaSJS$6URF`y$_MNB&SW3xE{~wOYNssu
zC<&?NYFm&*RX}fs(E=o(sKAxpEK7Z#PLU31eiL#~fR0ZQJ5Ay6#<d-X_XO=D%`JOu
zvW;@*JqszCmXXZ2uGmCBL)mR>@$%JCGP`0_<K`3|)LKPKhnh*QBCVg<ZvP0uE^eTc
zm|SnSbWcjckTm|q8<@TBSLlfZK0D2@Lz*HQ&7I)H9+e(ze5D~=zyA^?dHu!6z)_F@
zur5zfr@_SM=cs#4hQIQo+U=s(uYes}n*2JjWy?A_AF0TOuUuLJw~>bEJ)onFEUAq8
z>ePVoi61`cYb2}E@~l@&4kDJSzC*ffys!;6<%qCmn!s9CfUM|3VZ;!(jmL-hE*56`
zC&5%sk2w6oc|KI}{dR)-TaLQ|k`y!T6?izPs6j_6VM<&?OQm7Q1PP|0Fh~X9h>Dky
zV$<T+HTuw%rJ2>zpSJT{$p<oU>o7@AEwf*wJZgB7*l^~)kQcq(WuqScN>KPrlo5U)
zuaWsTakGzVZ%c~qQg=~P4ld)aZ3)M@Z2IxgxGS{a_x2ExClgz++l-N!`+c~~@wfmQ
z!|;Lx(Uid^6xvD>mZIO$No`O*q!#J|{Y`pNgBs`hqR;f-7Epb>nx#!uxxw{Tq$2tk
zN{X^hT}P#Bgtc5J7v4{al4Jvo+qHtIZA#A#eXbg=lTnL@;AvFeZxngU%GA3Jms-6l
zMOi1dsedMGNlDiU7byq)v52&1KQ7Eftt7A@ZWzCSxXX_Tp4QrxUW>rp;lS7K1m?$s
z%N0x6DulH2U93VjCG%6)U(qio%@Ke;lyGLUAGEFGRZixl0p6);7rHcrDbILkPi_h&
zyovAVo27SqjnFgu0aTjv=CnfCb?+e>7S{lu5^Y7qFgPN{XVzu?^<j05I^nkRG>mlB
zUyG)(1;#3#TUy~7Xugu>3|!|XdS>ObR&sXFRdst5HqCsVuGCxIUk7M1snr<AQ-{WB
z#yhbuDOI5>Cy5G0H8kJ521G1T?4ypuzxLjcu^8dA`P@WivmV(ZJYR=*z%p6(mCwHa
zG-`RdAq+cNy1gLqd1Hbsz3#-YBY23^Cu&YW^}&BNkImhKdY9)rR}U8ek`iCvg4Q@B
z;gTgC)msGw*I<e1!D(%QaPz{ZiN?2zcm&LUV&ksAw!MDjH7)Q-=O2`EZ4$fFY!x(&
zIlvY%?_W)azfQwb{}zAgFkpTn(*4UNSQY=(kz(!sUoIgR3qbr=g5dw@Na6f>;(v6c
z!2Whg-@jc#F7}U0B)b1ymzbFzx(S211K^d`5piBBWQNy2>jHfk>h`<roGP#Xxervt
zVEv?)!h-7UV6ARD7b4f=R>L~)yv6D5J@XT0Y{8cLq&{%su>#gc{v+y_J>2oQd}Atg
zRSD`j$HV-D8<fhefX46X0&<VL?bnWTK#Lt)(we}@+TD@5tqHs_I`Kr5U5>ikO-evH
zA99Tv6X!vL2~uxLOETxL?ouIIvjr#^&ZKS<A`3EkAPHA6*PwW~*XvA@C^5>I4=lBh
zt(hx7E+St~TM>V@+-M|4WwH2{6X%Qa26=0=FUqY|nc8Rz3cSFq0JQF;Re<MwUN6Po
zJJ6Pj023h$rPrW4wal8_#T+tH44-Q7%s-n#h5%y=uOLswRA&POz;4d35u?L-#x2HA
zprn3E1l+U-j8}`lvIWPFmA5pV7L}m;#+{#>*osZ3PXJbA0;{UXt5~m^Nbns51*Lw}
zVKqa$G_ienfyS*C+g>)!FO8C>HD8E#sQ&sIw>=b3OzcbHX>Cca4La54P^Su^>&A$#
zO$xIr@W%8nRqe6c>y2QOha@mxL*f9(-m3FfggyTeah;(M|1tAkcj3FZ(euEkN?%ng
z8rAryLJSF)_VZK5hxxkly4?^n{Ng#PJRWAMmSI9uawpQDfdrgG>q*i6m*E#J%n_ht
zkR#A;A1?OAWe;F_Dti^xQKCul!t>IpT88RU*~ExoDtrrq8W8}zS9EP3Hh!7k6N)`b
zV1I;JpNpgIa6B8}FQ!dfz%l^*`vmRvyH*=&P=-uHt6jJdFEo}0e{OGPx(Cy$vzg_f
zJr}@9jGAkXi|$PAy_SLYrw64{Ul@*<mV8H}jX}~Y8)?$bdFCQ`v7Em32uQ<onC3YI
zPTsouH*d~)hLL89HDow9k)ve_)|lKt4m?37@Li>ko^xtIIn~;&vc>S;C@1&&>z0wK
z9Z`wS+o4#9A+a(Bwol^flcz=(o+`$l5d$`S(379#+jk)_<(5o=kve>OcT-Bt6R>bA
zVFGyj#vwq}8B@~O9nqJ9zZ|6wpeFHYNk8k}z2V!P7z|-vGE4iX1HxX<;rPR^E_a=m
zNjX*TipK4ja&Qj6z$~1HV=IReq?rODKG^WooQm7l)0<M4e_rk+_!oda`m})Vc?nEW
zeZ3juAEY^^5}-&v0M8-IG2z?C1l1}IZbkJvQaTe4x)yGl{Xk;-v_NMQfNNf@HFg!q
z_qF_-K7&GC@Cf&Clz}{_EOF{h1D5B4%lV25XzhfA&{u+mTzLWKMM!*1^;b)arP~!T
zQK>Q%)B-Gp+_opPx&gx6S&`&sr#815SzK%;JzjTC4MdVFB16h7Q~4Us<SDQtf{dF3
zFRimo&gBmyQ#c_B=J7+HvVw+*r^fmDU<PQk1x^EB*-f?9vR;xf8r?g?+C+Jz9p9v>
zEmDA(CX)Ps3P;agw;u0LhsflJTIA=uFZM7?D#i`9yIoHCfpa-tMu>|Q*?xZWJv*c`
z5-0NmIjp&0vnNtZcnyKl`aPA5QLpb%T0;dgr5?vDgszr~(E<Vv3lU>r<uqeHreC`-
z3%<Xp+X;F0m7aZ+ABO&E`Pv*X)W<w2TMwD2zn=x;hurkqDr*4;&}*q02g%X7uDg$@
zjhe3y@yggGQR!ErG=KpJa|IAw_C2qqc*{pxU$vL}V+Sr{NB{;#&wysrdWYvYrv@up
z{}HXg=sU7`lyOB`RUzj>sYx_MHtLNlD}v_s>^0G03c|zhp{DFNCO)`rClOtE2{<03
z3{dCy3WHyKrM4(G&~r~l5>x?H?DcbzhRlV8xA!9)*FD7CRg<<1mE$t@WQ+&=;tE5Y
zN38>IG7D;AEx<4eh}wMO>`L{f1;nB!RgAryM0;Q|Ap9?pF_<8<!c%T;Eii9s72`Jt
z?s?y9THc&xTfG~Ff4PM35Bb^t+)w)J^Zz-bMA3`%|L>B&zO3-)bQO`^|9wJC^uPT9
z{<lAR|LqT&tAG5Fcl&RDl<K}Q=>&M7kU+EF1Rv;0q9b0cj)`*-8zc9cqWyY{$>#>B
zU{?6Si#2gh2&I)2{+{yO(KJuZOl~uHK(LJue2{IuQ8-f9kt!B<@>&bmPt%x;&leo*
zb<9O;GpCTcnq5u|{Dy!V&ycK~A`>%sDr`jA6r#DZ+pjV4r~fV>GV`Ir!8+B`*b%Mo
zqf<{D1S*Td4+kLA<R*n^*90}Fk#ngr#3vX@`xJ~-Pp*KK#V5Ced;rh8i#l-!ea9X3
zEP$73z&AtUU9q8gz7PZH#^c_I%6NL^YU{qO#8Vrcne#O`SCdb?v_na3@lMloi)Ph+
zafx?CIg!BSgrND@(gOCa_tAa0bM<6Ulb+z9G&*LFPA&4yet3zYL3odni-1)V!kl^J
zK(od91KJHC5ox@HicU)EQ_xCUQBSmpzOz451q$%(7?uj?5Alu_%FLqQOU_e+v$7PM
zR0(;OAIQ4Csj44wJ^E^)pkZSU0BAeC2C1amom=USvJ9dRCCZHEwsk=khtlNkcxajk
z-&FB_k0ZRQ=$R&7Fyid#>s0v|AA8I0)0&5a45KCUHYW(?0tqWnQst=I4VJ5w<d6ER
zvZzg$+Q0e*#=Xwef49|<zSkDH+u5FBp@Dd@wM6qM5P_mrq~-d-E}-&FgY0~IwAL9^
zr=iauBe-DC$VDdA*gyarYLp*>7gwi!etE3o|NOG7IEW$5!n|`3;R9-9GC0xtIHVgG
zb6*mkhtVDpn@@bA<|LX%UQwBXM{&_t+FtQVOW^RPbqE0Xja+Jk!8@#D$If|==c{`v
z0!?Q};=i1e+Oi+qJrzig3RS_9Lh+Cjl!qx0i1R*=7;d7X{QWcn*O@Ey#^+vNtzsDn
z{3_ciW#1<|Y*GBW{m>dyxZfqfBn&3#!Ax^mbYJBEpibjj30?~FCs*ectM9j7KCu%y
zYfjUpP+HDFC1yLfn@BQCcTRA9bN`R*W0zSnCCi@ZE%-K(SUb5tS8rxhN@<!vMkeWc
zB>Z<oj<;jXnkL><hZa$31#C`bTKYiuGNJ?ha^?ng?hv84U^HE=qjmU1659##HC<To
zim9m><tQ+v7TB`z`{Z;g%c`y{;4`J1uWgC&5l%#!gFz`W1HyDvspTIi?uAi|3t5|&
z9azI3W?Z_i{UjnlrVtFGoU82bmmUX{hVX}B&vUn_AHh-)@5xoiOsCs5BS5<EzvVcs
z$+2!8FX#anlZ^-6(ZJhcmg;!Rtd;|xqj9vaIY%YbTUhxF_q}A1^Ha~SLzO}II~92x
zqL}O*Sh;whuP9W<TTm@22>dT(Y<c=jAaR^V80L_1iHf#2m|Wl)R2t6r0+B+wmJ$?!
zKbsd8v?YY63syQjSaP6LXxX!YJSyin2FAHTXvG}p8`qIelsBN}D})(0&U5Is-rU`w
zt7%axxrJ%GGk-3bE5;zpBVcjV@mHC#({l)!!rilx<noj~xN*>XjKOg_4u)~lTg0UD
zNp?BcYyY+!Hhb+I<aCT`gJBPLQtmeSQ!s4EXpEZCE8LkP=UFH8r{;H_xI*4)y5@K_
zJ4Dh*#g45r!Y}&AG)DRKJJawyTI2V`(T->DrP5Ik=ca$;JWu4690s;hOQg)efTcm}
z8@`b&IIf5>keQm}N^%9xZDd7Re#zlviIyMGO=Vi~5v^%x_tOzgnwv>VsZ8ODV%2G+
z%xDVTpKe$rX_-@SE!%)n`PM=ZKjP$2VQAmlR2?gb(LCRT;1Wn4NU>)=f$BRiXY=bd
zANMX|W#AIh-rj${x))!`>#*?c%tCb6O*a!Uw}_D!a_9C<gYnJPj3mK~eRe8MYBGmP
z-zMw!NVX3S(CYM!?)aCBwQ-M+dTyvOKQGzg#1b+~cK+Vm;JzX8C=f8_#zE(B9a_A3
zWrd3$x!Gr3mHW#d+?D@XIsBQl`ZE{R^KbGqrTjzw7NCEV-;5N|N}x)l$n&v>QKzkw
z-H<hiuI|?dlpQJnAy~o~ptE5N2CP*CmClRgo1-8c__)<e9j|~?CWm;r`Lmh@vCEO%
zDmzn>XP{?nF5$$ldGgAbVSyK_;<_haW%9gXP^jV$|BB+{v7=I>RlOL;f%u`uFdhY?
zHbR00A|@-JBoWl5)^{?x<s*UQS*;;A))oB}cM4ENq?yU#nhI$6SRiIp2oib=zB)fO
zO7}iLQ*s}b+2c2P)r5jejkp8Ef+~;-0W|@ir>Ylx-bZKnl_A4%c4U;u_sYh|I5F)^
zg8nZ@Uq}%XqHsSgPVTeB^gW@Z5v=R-{w!)Jq0A`&Ztu4v&QE|ZS4%L~F|84J$v*5@
zO)kFa^P?K<nHSiZZ}IKeQq0g(7#DI7kwJUW+%8R}V@tRU0A~Z|4R=9`+FwebJ!}Je
z(m;3D$5?6jpWb7fJRE#A4tW0d%0J5QGL=Fj6~H|qjpa5is8-B}@Jfs;>#?)!B>=px
zNV()~Vp4W3mR}Y=^cHIbhEGCTVN4FtE4OG;Q}iQ*#eQOj4Cz)9Rh=c)&N~5Fiz-X2
zQYy&wbp$M62hWRk(8Dbf@UvOb3Ew?ON`^0VL5Lvh?3SYv2JqX`wtv9F<tk$hNU+ej
z0EXJ*_{%txd+q}&zp6|z`xPSF4^R^3^bSVFVmT=obm#l9y8YOQC24GFOAt`!3qW{P
z#!{=&GtE0|ot&WKS#;!C;bL((K7WIhM8#@@#>Y>I-b!8Tvc)hGl#i5*iW>cKhU;_4
zBi)=4m$<vkMENF4Ox>ZBRNaS9Yr$Koh$i6_V~>(td*<0g$1ou$=S~GZXBLn6Zo52A
zL8g8Mt+AYtqcbgQa8fsY6Y5eU<{gs9OjBP}3?ipjrd}2$NICT38j*qp-;)v}B(b>4
zxh9qj?^aE7)VGtImN`JrF?2G<iK;qrJ5?N9{2lROb`vD8OGezWxqifn%Y>Gr@26)+
zolHP=TKMh-?v{w$B+rm#USc>Pq3b9LTedM#V%P{0*vfA2Gq3AN4B;a!?s(5WZ1p~z
z4t5R4n=r#>1tWE7ucy29ealf;Qj1aNNF4FTu$hk#N7g&UED;bBIzZaVwMn)WM&4?V
z_>FRF8VxpnYru7Vl<usAGVDnc5As<w)>zZ{VY{o{AqX;Ng+_1M+$U`|n{1W`a>FXq
zXHS0R%)?igsmRS!U-m?-B1xHA16y`BusRL;id+hti_yK<T`(&AsN6j@8C?#{av3HU
zv>cVn2`kK9+9qZ39FB1LXXBh?F%1U;`1Qaq04NeD72pJa&zz_<Ja8l1_g8b4Cx+B<
zUM+BXMktC5u3idH%9Tcm4RmS&=NFYbFpXnO?@m_tpUFW!pPG|#zd)}<V$Lpo!vh?k
z(w0&{U+f`eK^JBM>O5}a#sznkL;IBZb@~{?#)*NU8k}jBCn|bLU2uemb}R;}X~(!^
zq2*1Tq6hSF`!A>iR{59>Z{@nTaQQ303!1L?&}ezjn9YoBeTkT43}5@<n)G$Mkg0Zf
z8+uA%MIf?Xy>yv@Cc;5<z7ifrT}WV9se+yIo(6DL8r}31a$_fwdP>yTx9Ol9`C_f#
zK~kt~`t9`|o+ns9p_pg#DX|u~2tnILF2x%i?Xh%jm$T=LDh=*pguQ4t6~Fl-hhs7o
z5Z2u1`-C&K8%X3De0O2xJo%??9VEei-H%pKE9xm-O&vA-Sn(C8BySvu7)Iw7y{Jqd
z!QJG;cgCo>Batx0PyU_dAtj8)E-a}rq6B(mxC|TuMXk1-j8~N<ISdX%Xs$HKuK3YW
z#+6@sximM5ZOIJQyYe$8D`1tKJ<+$S?Rlp7`fZcUawT<?Ec>}&)Vw;ZyfxfBEwU$E
zi0FhYP<D$Q)|7gcAa9w9kVdLoE)w6XT%HA#hCku&E>zWjk{|MK@^}B6{2YA$kbi*g
z-{f!8PH&+jf9rq{`#B&em;Gg!+N>9DZ#1}7q;ah7+>{Gz6o}IGl!GLq^{d)TkggFM
zw-^CIWq3oqN;m&uP&?{zz<#+~`1%(MUN$>{Qp)j%Euym4D4A`w5Z*YBs=a<?-b0}7
zyo$jx^i$S*f+p~g11kDywrNz<Dx|Bwpdk(B1y$L@?EO*~+qPtLGPSl}S8!hPH!oI|
z2?6?~YMPbElEVx?14FZ<wks2%-grji4Dm_psX;$}?UnWH${@s~yjS@T-Era49y8@y
z`(RC}dk0f>(hwN;lH8c+5N5OI`Bs_RXPsp(*pPDy?m-UMJhZ`2`dQl4B5!Ty%e5L4
z*@5hUXjvIcI2RDooF04?bArlM;vDSVCF!||>CMa$3N7?XxclP)PPwFDVJfw?>dFiJ
zr0ZB5TT2t0%ACQ-l$uS76UQD*z=3T(T$t0yP59H(Xog~Bkco!~<!6lvx!WCwVSwug
z__VQ9?&Xb;>|J(wi}pZZIbO>zw=v(L-!CR$17pHg&^&7ArQ1TSt7ac~6$+U;)w?g;
zjDem0r>TjREc+JX9oO-j*!cFC1EdXH08O7M*h<O$+?car=$J~LmKwYS;rUxnwO2z<
zLXG<Bg+XmN?&zB5ZStFqm<LTHoc3B0?pPDNZo2OcmvFyOQkUEKoXi2+P5fO}G>K;q
z_z&~FAGHb^S=ljs^xDMt$TGo_7wa-$+F$z%PK8wHv?|HYmzaxxff$VnPr1e&4Vhb?
z+?uao9|)fi%VQB^j}B9x%a@<5RA)KrZkMFhfKnK%!QfGREfkt4T?O;uyr95GZBJVW
zu-uOIKUK`|IHt!7o#`51OaJs)1;}ePICBzZs@U}p6y2HUDN2|)<|{eNU2STzpvn*N
zPYCib>dgnL)H=pAzlZMV0_xg~yu0kplJ$=~9c~Dm+cq&>Ix#5k>weXJ5u~zsSYsGz
zXg>{e1p#e2_II%xS6gpU!Lbq7iT0PDncOPt=ccQ<lL#asD<t(hPi!SYW=zNFa}4+%
zH3~D94-_LsyhuABhU_V@J%$RXN<~s?kXDVg7SSrOepCp5Z@TEmcVz$WLdIl+k9w&y
z(V%T}60itggQo1Ecb`X@oLh(gK6~evdIXuG2Y9uW$mM3>cF^43rc;~qZk_+J6c6vd
zD-0E7R+*#?2%kS9Ws>8ltT}PZY{!DZDv7xcKf|{+lWTCPotY@TgmSrgZ7hr#F$DS;
z6u`nzyE<K%bvpg5c&ng9%ZdzaPjY4g9v7m={zBTk){UWXU&g0pq{|-->w*URJ|QC;
z@49M_`$%pEj%cHJ(GrfXMlpeBlI}_e0p?mjX13&>fx#qUr|<WezfZy^Cr5L~UPf3&
zGUwinRe0S2^=R5%vxC4KSPHr_ELQ!QOKIvE%rD~43)>!9ZY_vtBFepJyreWLU&8Ds
z7PZngUy;opRVUlQI+}v@Be0p>!(6kNp)UAOa@gV-_Q>Qw6;ug#9^<|v`S3@B;$A0m
z;FcJ0O=Y>-S4b@X*^I38cY*}7HH-%N3t#vh#h;mx3X;`9yvqbpi0!AkRvs@sU(=T{
z12pyOZLL^KN^~Hwu{A9XUU%grVb<^L3>GHaDd}(|pXxI!&`=H@njlSq^I2Xb#aqeI
zi%Rg-(Af8FP<ohw*WzQ`pIBIeNC9Pu5~-ekcOB7oy?~nJ6G9TdbuR@pB%LxofITS9
z=-7|)K(KAkhPR?jch`G7qa1_8wd+HD*}Ef6H#&sxdy^A#(f04(yJ|Cz-rYifVA_=j
z$%I@JXO)9vTNF$tt5ma|Y*H|wXdo-5SNbXZewW8!k?VE#Ycs)XrvPeDDc0CgJuJQ5
z+(z(i4~?tPY3FtEaY<wKbmy1B>=kb;bggWnyQKXxyOB0T!!+B*e99KPrG6rt`M>zO
zr{+x8ZVSM%ZL?!19otFAwr$(CZQHhO+eXKBcCS_S?W#Um|KL5kYCiWn$C&@f|JM7T
z@<aVAfA`<=b07atejKa+mtXu(qB{FFq7;t3fR~k}20m)GTlJl|BMb>L>Qe1>>w1{x
z_iXMdzUN8TJ7x=6D=sDCFMxxONAvDp9R^ad%)uSi<3r~sC0OHTvP>c9(B$xeg8t6y
zqQbz#A8>I=aLh~Df)#62vgcn#=bnxHEI7cI3oqe*LDY{kWfSn^a*yj4BIPxGU=^$~
z>--t(EK=faznQo`iU(wu?LS>J<&XxgA3ZIlRz3)%?HS}#xd8=6W7G2;5Ios_h0F^<
zmEl$G`uaP|_eG7gTld>h67aoRZ}rtr!qf+IzB6I=)bZeIsht3&0v;xZC+C^GSDWc@
zG6|vz8o`A%|7NSEH(?oMu4RHRkXq5WUJi@fV(3kF4~@J%-v7MB%oSG+;mBb%9Pt&O
z6KlZW=hkHF`u<_ES8j^*ErwuM?Dw$@x+#@A;J^&0$;;cfuI}vpy+@gdBfQ7xs`0UD
zzu^>Y52fsME`~Z7p*NeXi5+ctOpleJK_?THwqB~%mW8@y?5!o=R#a{O?S`e;Jr>Iu
zC=otkM%Ul-486i(!~oRXyFU|@<%zd7@A*=#rXc%*U!>7;`-KNQpQ3hldyllEE@jn_
zvmn1{D>_7nn`sSYm5fH3%921uC;EDET=rF~2thmx5=V4RD)RL<@9W(spmbU3#CPpt
zuySs$k=7Q$pc4mE-or;o`~XMUL>v4fvGPQ9^e3+CP4|gSvy^R7`q|6ex(jbqS{p9{
zyR@%4Ig=5Nm0fJf3p8RD9`b0AS@lugmPSZkewY1hUqH&y_-j<<ec{NX&5ez0ceyc0
zD-0=FG7N*V>SMfM_0|YKZ2QcIyV$NmczVU)ZeH&K5SQgMV0_GW)s%SQFvU7_X2@<Z
zB?udkSbGf;vD1o)Mi-E#3%0NIOix<*xnQXdxs#^D#dT1j^&@Fc1z|xf$?YkXJ?yZQ
zJMHuFkubHw7j4jcDu}O!73!M*ip7@6bgYrU9Pl*x1N*hnNlxtCe4IYq8!~b5BAZmu
zSrPb(-i#106_Lgts9cBtEk-;Se_^`L61#WDdXe%p?M1;<DDShti(+x`Dpkm^PVaV!
z8-I~Chz^Jje^+Y?YDUhUcWMNLk>|QLOjAcSBDXf3-Z0Q{(Qw~mYp_%Fh9{};U?iUO
zt0R~ym{+C7?>fP$K5>g*oBBtZOicsS358#dM(&WcUdD+R9~~gHdhtm1u=$4g4e|aY
zVelw|_3oczBM%uV8{p@YLL6Qsg=bFVHlYHM<~-`JDz9jT$Vf}@UMXG5d>;F}btn{w
zt*U{G$H3G3JJ7FRH0knbyf<farX7ckG0*gV4U!Zw0{oR}VpDhQ8kc|arE>@$GoKnw
zD?xCsoJ?-Hb=sIY3#DbbLe8xfQC!4eaoXu;n5nM7F9w5kno1)o9ck~SDGhi*iUsrX
z5xFLGAb%n*jz02aTgcY<{%##i4y@mWb%@}V8nBm%>=pGCjK&{1ours78D3fLaMhuS
ztW<d@*L1@%G86Q=MSvL^M<O^(q5)dvUs+(#n85?7CkyuecnJcfrYMF&w5V@|*llMZ
zi;K#A{Dh^{)cB7YL!1Wix8V1MDiH6Y-vy`L`sw#rp@|f8`?eLKRq(5y+|9N+Qd?M+
z^s}WmjpPElxcb#!>v#HFH++2g)xb!|0>fta4x*97Aixu%{6~{l^G(Jq4&_R?>%y>x
zozOOL=wkrUW`hP@a+ti2B#d|LFGptINhFWX!Ef{RrI(9Fz}p*Ey$#$RTStYu3Bhg2
zA@wOTrTf5GZ_*~WV@h9B5>NSO8dc5f_~G%Jd+PfrydJV?ovwq`i7f;vhS6v&N7<_Y
zKvs`v{Q(=+X`9_WHT%A9__@8t^ghQoh6_`!Vp^C~+B;LQu+JN`?x_3{ooUtcq1FPM
z{Y&GqtFmB0aN^WU_f(?g|Hu!}_n-1Z|0{pj-|`Da|4;t?iNEC+OdznS5%DLYc6T3{
z^rES>y0{G3<`?FIuYFftDF`M({2q#GC%s@Cy#?9idE}(GB|$+J_ql_qewIk(oOrgK
zXASc<EfXe2I6z%k13uk&`tkGWow8@~S2pWYhzV`U5LYG1D;^w8Xs&1Qgi-aMHb{3=
zGP@!eP+KjP9>1V8!xg-1^jwjrAB9VUeTd}UbUn%+ChoLUJrM6SIl|kf$sO!AH~Mz-
zAPdn@sG=*H1OOVw{Rjxp`?4-#SEl{O{WZU<q^?+$A_&EkOXz6<RKYs+Z}v~MISC{R
zru&Y`qJ)SFUK#~9RIdz{zJn(Al<gJ>nupgToa^dnAC8s|&MMXlK)-3I+lk8@yCp5r
zsCUu)6G<g&5;Ht1PT}(M`kn#H;C@hsZy>YnR}Cqr+!hK!X3Vt|Mr+#M_|}@}AP25~
z?#7`Pk$39e0;y~VhwF~XY{`v%5gd4ULC@j`83kiDmsW}x!S-2wyO}GJy&xB$cIQOl
zZO3~3smr*oqwPKCp^sAB6nh^3Y}9-%v}3QH6l53M7m0cOQ~65<d7l5miUWG1B9)^q
z?C@t>Z{FS_mczP&gFIBipr1lr_<b6XW0I?EbGA>?I5Nw&X>L>L>!Jr_xs*QaGsXLd
z>H==)aSOx>$<z0Fe5*?K*PZ4~Zc3&QX43+HL;Rl4yd<QPqc(+tTV(&)=ta7SkYT}W
zZlH(D-dyvn3T`!^Ce5Mds~^?9R|6-*xu^Nir*;_WN|$a%5^k9!l}*<L<Z;%!1e0<x
z2tVOhYQKQ~;m`N4#C<OaLngw&8R|l{BY#f@;6cZT@e2H0Dc85mD{wi4Na^%1s3Fh@
z!9<gN`YgYPmu`V}>gkFSQS3?oWy}T3=QZuc@rSUPiJ2I|&qi1svD+%{6zu$*D8P=%
zR(Nb6Le{q(<bH8DvDq1MnP9YWhCE=P{S8U1&qFZMkHz{zlc9mO<>@5Ou+e~ChlGu1
ze{!oU^F1xNujTTaUq?uIbzHymyi;+I9zNM&CoF<$IV>({(F;a-V?+etlwzQVD^VCP
zOYIt&sGuxUAiP|6aNd+BVw8k~kZmL1;)5_EFBYaii3O6BV;`Num^;ldzNbU%NdW_@
z3A<d=6i}LJ^n^3DYcM=2JB%5yU~4|Bz>|_ysAEhve?JpEcD)xHyR?yGet!5AKjrHG
zZgrg9oL#`Es=Xw2R>Bmw)*(YYXwC{i({O{uQyeFJt&Y1xC=KtP%PE6OjrvTq{IzsT
zjRCfWcJe$w51N*3f!!&t$RMj*S#!gc!EF#-GC5CzSTYWIExpCRS%$WKfofus&;hbE
zKgk;x@+JFylPM9z!P;beK?&#FW$@yJVt}E|8y4gYhUi1<%_{T;v{9Cjb6Q0<>#<Vx
zKKS{|$d>FP1XJo7(X_o+zZix=gy(gWdkx?7lF-*av8KPN=8YPuJ#YKeu(X-_j1nCh
zQP6L~$61+9ZdEP$R2C`t_FE^JDefu~caRu(uJ0{A4#-|JnNm#S=cUC!`)=96DVD`)
ze&L}}xVxV}-()T%%yZ$IhUkKjfXvk`S0ukZ1V!gwjSWL@+BD87>#%wW=D0^&COkxz
zAe&3nY&J(LpX%Fle5)c6?$CS00*%UAgi3qgJ@5`#s5C0Ih>ildqOw~a4BOD$sM#)k
zupOO_jJxiOd!_H9f>81gY6H5i3%E)oM)9ptGySQFj4ljUCbli6APQI0VnQ~|^%5u*
zX?M!5y#<Fm;(%K1+NSB?SOwHs?YTB=G)a#3C|A{((tI}Z&%4gv#tGg+tTJOeOK*gO
zaNzHLXqIurxg1gy!B<&GE~H*u-j->Nz{^1~dX&2&iHAhzK44o^iE!ZgVnoc2mz4^%
z!s98HpWb`qqpiYM5Ir~O(x9~$GlmzyYr~r=kyJODlX(Bg5A)yh!~83M=il;+v;0r~
z0D`~ePncWjat{N1M*z~x`7~Bf8g_w6sS7O@74HAMSE*S-rK+<oidx@52FNaqq|17-
zxF_@b;Gk<thqJ3w1aOnApomAka_eX0rex&yDX!rK+J#smxpy{HJR0xtW*EIE{Dsy{
zFtLSKtvVp%;sWQdyD$ct&aXa-H#zqrZ~OA6hPVJcAfCG&uXS7+E6f|p&j!lYe@!O*
zAlLX~@E&=~Z;rTrasn}5nkibFecRj8fc=zLMKhkc)`6nPRZP7uz#fYJboHdk*r;ju
z&+j~Q8U>sT5yu!w1>yNt(aZOMalnq0BKfQ!8s&&%^An~HEeo4(-ccA{`qAm_U4t$j
zt^NZ|YS7R{8_4NP5vt_wk@CqBZg>9oyccus<S{JXeVHAq(DdsQh#w0TX@mx99KT!f
z)d0q}Vg%qugap<;PMHW-4#OKdKRj`>{i+ylq<Y9Ne(0XHdjub51(^+3TWq(vrPa&p
z9lOU#x>Rwb5oGn^g4y#k|EKIcf*D34KEK~8aVk=b?VVTczMK0OL%g;pjLm&+<K4rd
z@grjVDA60CsZpqy*E_lwk57t5*i}?$A=xd{xV}9A;3R8z;AbALwTYyqs<&~$E)S$V
zcV%hslrVupBx-Dp>Jif<Om9yOirrureWqO;po%Kc3kcg3fvp~@3Vz$us2n4X)vPt{
zt54I*zNk0%_5d4Q4UatJ-$gdh_ygiZ`xImMA!#+}lK%U_7O{lwMji}&0$mlTumWan
zZ3n!5!Vg?u&ti6&?VlxcN?I8!2Lbm$F7Y`9Q(QB3`TJ%;IFieLr=xn%deVSu3}KQ1
zo=_xGNT97X!oi1AMq0HP$odZCJqAGnPDXmMMxkk#_fLWt%=4*EgQVj-(_Vz6l!}oy
zK_@6RLKk@YPFK_iALy?GM0U}m!FnsQ+jnC7<S9Dv^a!Jb@HS7o_(gA9A?Z5_ls@@q
zg`vff<>bMDJJ%QCc`N;wl@8F;^2_8-0uOtoBtFhRRN;1(3nx_s>C9e~+thISM*<*r
z!Y_fU?aR=s0!b0m1|)IA5~q-^v3p%F=<sFwgVE{3#a##bfYWLO==@W2PNo#b1(e*n
zI2a^?H>rYmQqgvngWzhE0->eWV)FVyqG}z*c%wJdjoaAz7%K4#+$x8!vMV#b88<Be
zi}E|++}Z;cD*3jKu#osRq{3uY>ECZAEYnS2_luQL5@S)7Yzg)8jO+osv_yI++cEp)
z2JF@+Wk_G?sn;o8jk8v<jR-hqdA!`_`apBHJ3&v~CN2@XbOvi&Lfl_;JDBsc<BQhq
z`O6RgEl#nM@M1sq2e%dxyNIjm&<hAwA6Q?j^|(wcRFt$-2o;Qky$la_qcGGDlbI?i
zdkc?oo?G~7udah_rJL4cU!9t&BE@0+K5ysup#icSyig8TgN)Y`VFE{5ycpU)j(-8U
z8Xa;RPR&W&n<d*T*Ts9cM+ypa+YI6L6%@T8IEc9@lSOB|N_b*}3SbhwMI?&|Z`pBo
z17NJ0hFb}_*ay5~cY@CCVaIFku|1Ip-`+f`rgx9S*4Ym<{`LfVipFN9_2n3HF?AWL
z|6}G3qP6DsWUlHn=fV_aKjZ#Y06EF~%Mw$xzp%K4y6i!@Y?h>+;W5g7=#{qu7IHN3
zkZFp5ec|`LJflQiT&A<hUbGw8;R&;mez35B{=VR^#O*Sv>Fv+2EMmh`;v3sGf@H>X
zC)GfaU|(9Lv-%STeny9emQrk*u#<4=i-TyLhINGle^?y78$VY`rlyRC{WIkyi4z7*
zf2WpJy+oIvNd^$^IozVxjMibf`xQjw#@|npg9%X@$TjdQj+JIS4T3?1JyI#LjGJqe
z%gu#&8SCE7D9Ss4iZ32$<*;;6+;~7igz{oC;Ki9_k;}I3acqI@{((sl!6yRG|HzNp
z|DQ8I?7#AN{4Kxq_W$IU;{03w+B1g!&kb?A<SQ|Hd-#kN;HYHDoIwiym|L%KlpbRB
zHNP-V&16qt%}@;-+xpCl#M<LDTqWGgGWdYdm8$qY@K_GaeVrx#tksGGI6178#BkTZ
z0nEB{2=xS4(~F}>gYh>9PH8vRp0>T_%j@8V^k`jv#Uy25Fq#f0PNNWFB&cO`X?J*+
z#?|xWh9KY>WBaTob6n77H9Ls`eZW82Ga%Gf$aBba^Dn_MZ6A!}8k0V=2b8rB{T?hW
z4(VEIyMt6SW<u(ZagL>D6K-g4i$?t?hgchXHiL8b+QbI@d<Am>u%8tc8i_((Fv^m%
z`dsaAnF2DyKdSXLT6p!>XkjxGDi%&1K0%!DPb$79rxA2`I(Nt%mkO}UhnX@arjs}*
zClbO%UXFL0o^kk_PPn^74V2SE`O$r1b9?POA~BzFsSU!+%2xQ%7oj0zCrJWDTUoF;
z=^3)n%)tc0H~D%b#<c^PL!U>f-}3H{Ar;lKdYo#akE3vW@@)^0KqeB<kZE8{4Oj0A
z)U)T;$3qiuYWg#vf2z6>(=T35CA^#w0+=9~%kMY*lAMQW%6LLNG+g!$R$L#5$UKYr
z5c|vuZE2^8q^F3^F0yvH!y6+1;%+Io=&249+l|2yhwc}h-@*?USB7sC!S_}ThA@AC
zn`iGoGhd{3>f)pLJn>2t&{mRyzX;90G%;h0r@BxQStBM8QI-haWpq47b?iXlI__>m
zR+8^K<_IPvLLT#2Hbx(sJ{eE<YBrfwGUyE)pz5E;&x?}D`<0~Y_IM1WQs!9GgnU}R
z|J*lqnw%rrW^BJuSN){yJP<`RcS1|^{2@Tk2-o&4v`9RRzH=nVzUow&5B3Q@Z8h=I
zW{Ww3Md0AW{a7$_9qzdN!@T#E1NZ*MKx=Mj;auh&gF}zQ_ZYaJ^B60wkgEh3OF2~@
z+1O2l4hMp=zTA5x2NvEiln$PdeEA3NhF%;wy5c0NYb}lOy&O1mW6}w^(6WbD=yfn>
z>yKRri(b#963hUOA=%U1*Rt@^jQl_tc#UZWr`NzNGu-MNut2%)habw`E0$LHc2{1=
z+Qn1cAkgidNMXW`fSWVuFeaa_Vo=xsY>)CmfO-$9E}TD%bR+M~5Y}jKT`RQQ^c-63
zwZ{CXG>@mB=IFHu3zoJ)2*9@dq@ZQ;_W~KBmTFLrsVus$1W(WLN(Z&+z9Bgprr!Cp
ziA6(@tHkd*OLgAOk7!Jx<2wDfF*n5ago<PAG)LQ;UBW`TjkxHGtFzc{=nNxBnE1O3
z6&p`!g*cXLN_lX0IhyFXEqUI`%TC*kDY^YSqPOIOobr}57|bCgX{tvf-4cz)<b#+)
zp&{<Ri@El(<J?l>M9Dk7spM2E6P0X6@|%dEcC3)KjUmHy^*P*y_2@!j3bdC9@bsJo
zadqmI*@x^8m)O*uzUY#K9gl^M*HU-;L+!%s{pv7xwS5VS=5O68_ErM84Fd#(D-s#k
zYTSp2&vHMFPK%1`xZKlUA4h?dUqHwFYAm8wVOTYcG6O})Ml>OEuQ|hx!0rY!X{&yJ
zyS-R*5{VYIRU~MzcXsB40eALBONZ|V-B&|hg8EURqW&r-I>)s!mlwAHpNbWh>20ag
zzVmx%K1`>_|8wzHjmX1XzwF3f0)3^X>fD4E$Mi&`>8JNKoKulO?ij#1^=<G~BI$HF
zgT}n4{@o1=GN7&AZ9O@XHy8{U@$gXO2ZnXl>ACN3RMS+j!>VGOgTO3A$n@@Ey$-A~
z(@jJM<LELFGJfp|YU)SLz_`UfFA*p;9?90&KkMqtptmcKWspz^@+D8J9~%!}#tYrN
zI(Uv6?>R{$ewZivxi8NbfI1FObZo4Dc`HKOjhMIsJJrNw*;9+SB+c()a{A`bMF%l=
zHy&THJRHLdU9ggao-F?(Kh}TC5BIP9?SIR!82mr^$AbTsKWlT$TWQ)bD5?`)N!_(9
z<|d$*->-#lVn_{LFqKrf-I#BykFH>-R)4Ir{{9u^IP>j_A-$QK33)0c)uA!SBUemV
z0SjbCU#@e(j$M=8eF{P-DE~Vsd-+05BY?kUbQC_T&xK!M@Z3T``RUO?JO)o=&1rbd
z<+8unK(SQT0Xg4vjl!A_#g9gS$IvRpaUCQ{5ODPy6~fn$Axs~&gw|bz9r0^{+_D_G
z%<8gnW0#OPg=#hKoFi|;-e8YbVu656YxL(Nk%<lo71RWTa4l1`{U%UmjIzGBxVl36
z0{<Oc8@J-EkN{HfW(RMM?`Olb8EMQ<0S}K)<YYZ#OdGhUOKKaM;#4Q9x82?7-cQqI
z_)|tG=y7F_>1KB0fTv7jH==aYnqZ{MOH`qr%fs0$2GyRW!f6B*GG6)ivxPPG4ce(x
zc<D;w+lfu_U#^6-32pRt%YF=qg?D>L5p^=`$*xLja^*m$DDHJVtyUa_FI}32RG8{}
z6lel1O^VHFLFJ&IJ9ZD(4%{VD+Ltm;U`NB44e`2xf|=YrbRAvN`%65T*`|3@F9q40
zxkp#afbEC85nDPMkL4(Hh*0G<sW2f95QxCn=t$uOV)=HlY3(?ibfd2{2Wt$DH|9Gl
zx^-@eA7q^M_YnAY(CvCg>K)T3{O=k*R$cOV$;;aauJWfB+xJCfkaVrdS9ztT;r#59
zVr`KSAx)-<SazD6@QUD2y`8t`2b3ilZ=ml+O%d@4>mY_BWM|W(UD?{Dy&A6i1wf}u
z--V~%nEro`k;o<nY@KqN2H$|49xWlrMT=@A44txAl+{mu?{K37Ex_;X2a_?4^zGv<
zGp$IyuYbK}z|@GDvVhPPpSUFbOqjQYHyHAW0!iYWur-Sch!DmoLVB>mY8uUBQ>a&@
zp%{|r^JJc|<g~lHPQ$3W4^`f?HU6G}=cD%5y<~d7Sm3#Ya+Xjd>KhvycLv$&Th8Sd
z?kBO@u>qw##g?J3mvL>Lk%oZdIu-t$8_o62hT!Zmubz*?VcyT&I_vxubrRJ{eIyPl
zmBG=sSWEYfV`Xeq?2Min=mv5U8}a>^)Gp&T&k%vcXD2h*XUW1y|EgP!+>+lG^hE{N
zt8*8cSrl6NK%pa^jTt>=l<%$fA@CGc*UEzqkKxc$TT;sqry(BlAu~VvyAQk^LxiKo
z@}hSly;X+=P^R=3I+mJcsT|Vi@Jq#tjjy1TK2?4A8dZc;rI~*bry$$_j2KY0BSm8g
zqstp%-<n0#b}1gm<Q4zf4f-NHLZM|MO_y6GP#GwoMd2&3T;0w<yPXO1+zu2!Cly~p
zMwkq*x5^<SACFUQnL5@nRBD*3W880@t(=l*xPq<_CYPUYcY`hus+6tkCiajxWH-z6
z(aw;Bfkm_aOn~~3tT|827HY^Wmv41fCwB0{kO$K%s9}e`gtYzO@CtuARVM;ZTb3D(
zUroVne55@#F*uA2e`Nq78d#VIY^YxBSj+<C2vSmVQ&w|Ralrah4sQ=Leow&Bg182?
zF`v=OEMhsB(i9OjcRoY~A;<OH>}%+RKaS5m5MP&=X+``rXMkR$k7z2)^~5iDyO8UC
z3_{HVsAt`Y3gy=>vx5a~nk%{I!S&LeALUkfH3NXmkJ{i*p>d2U6NGioO9oVHPh&7M
z<6_~dYTaxiC-jCIK=ByY@>9aN*mCXQ^W>+x*E?ntz_8%ZCc*4-{9#G!{`RBqF0nKy
zghw~@x-L&32x$K6+2MkRXS;Vw90FK(z_#>A62_R%8-4SrVYlDxtPh2Y?=|e}iMb;^
z@VT7BS~*zCtf4kJSWJavb=H{=!zb9jcRLPT9uowDup8uA$voV|P3MK^Og;hu_*fgD
zbP0r4*P&zOdJ)m-dWdAP+0?U=@SEav`cDt2d2Y);@=yG?{P6$E-}bls>a_op-^lTA
z`6VhPh+D<-y?B_Gcic!Ab3hC#naS9Fb)L5f<~|CtY-nnBS5<t;#RE1#?M)1-x#|t_
zdXU5SlH+NG-r+X&N-^Os#W_B4o>y0VWJ~-$v2(sqLFd8EbTrH2;k5d@U1srhPcH1f
zN;E7Qyju&Nf(yiJ9B@1v8aN$n#n$nj=cNor7BfO`Qew%V@Ms4|>?ojjPY2#p%-Z~F
z%COlS&HpT{{JbajHBfuvBX)x|LJ$}Y6$i5^=*R3z$2k2N=WSXWR_7V2%p5d`Dab9M
zhZC;XAL<fWh8I{DFqc|S68pnIDAKsE=-U94#lLZvbZ!~yb>ANAL=OU-SP<Z<79;Fc
zcHZ4gEw0So_x|Vg9W*85>}=+%zkfz@rZ4i9F^W|RRgI-8Z@~_uJizcW@9P0(`iG{T
z%uX`o4wtQ&Hf%x7F+j&a9`bSOwtli9PGd%B!<1J90obms_YcYOBV7!;d%*ZGA)Pci
z*z|eHSE%_C7q~7elOK6A2sGfAh4{m&ZX3|+rV65dw;uV*@(cIDvyc*u6zPfyi3NT>
z-L5P`Ra2XO7WTOy+xvDS+2EIS21xn-JY@Re3i(bu^y%b{*nqnXj9n^|{y!&ZqMYVD
zFK?;=r5-)^VbNySx*nSKEf2?{Y5LEodmyoVP%tnp$>74Vw(R4YTqym+$$Zj0$5Q9z
z9%j{7&!Gr=&NMV|cI9e(Pog_OOu@V3&VaqK-_NoAFz;gb=GTaNX}XHIJ7;t+486F8
zsPy%OJnqz++z%`Z3TE*wRjUmGEAShltOR2kDeI2Ga&0;gsgry9_TzG0%&sl~4h%_V
zgkhstjlW5^pBZ6SpPLANxYX}-F&+fMY~tHiLSrNQyC8b^!^DyT@1NqJC^ecttv$9r
za*BBLgB+S^X&4@^k~7izOG5Vy8&#){f#!$LIA6W!$M1|M=s>GkNM0&Zb~H6T^#oP!
zh7&>W$g^p_G}r%bB9^EUwDDr0^~l4@YqX7{$qv+K3TRl|B|HW<+~GW`z*hK0Bv@Ok
zcn;JKkN>cFomo#Fva;s45BD+pk*&j1R{9bz&8P4rV>a<_h;POfz}CyqP|C`_M@w$W
z#v{}NDV6L}n^W_YGcS3wvXjq{=A!}-{yW{=#d}0hmU4i%SDDQ0yEeAdVm3m<Awd|`
z0M<5=EJq>i5IA@}OX)3lP08}qJD;BIC@j-_52R|A(e~t)!gEqojjN$qK|n<S$aOnv
z%N})(iIVSjem&IB#ItY@JXUos^mv44c?Im~yavG-)5pzxpUl23)J<vs{X6UXPJ`&k
zE|=FyM3zBQN`e8Ljw|xki;w7wc0&3Y5Wu{LEv>KP1nPbS?hHT+q%_%4tGo4`AZ1AZ
z>fD6`?lA~URkJ{v$&{-J?JTcdIDQObz*aL>VGXz!3+e{aeWiB#trF{695?iNW4c;F
zgmRefcSHs#eiTEUIMuhf6~Ih1U4c>*yBT&cHSq8ZlQ@Kd4#3iSwd7@wzkTK9rVw`&
zi;L&r=IM4Fu8D)HWfilh1K^9XJa4C=7y65#cxgF?&O4=)M<)a%S4YcUdL%=9)RyMO
zyt?VT-z>2A%){o!VgJx?7bM>&DR$iggijVHg>z4@aK7=J_La24DD|}2Ja#gwyVkw?
zR6x!msTGGlD2MITnZOV>J}SD6LWR}2c7QMSvG6_nK@fvdXvb{{IyuK6l69*#x2CTG
z-Z0Bcg2>dL#nYfJ<FQlD<&7fzTJhXIZ4TF(tQHQ_e1}WHQ_v!_+T+l-6g7fN8^upu
z0Nq(qU{zxmXSSY$xjXa5E`xn)MSAY!GNAIe#~1XBHz3j^4E|K9`@iR)<(84H&KKa%
zW-X1=Q2;8&E7f-fwuK}TWSNb-F!S{K!&b~JiEL1S+qQqvmq>Ms9sq?>SBKyJBR}ZC
zf4=r0{40O!-}37$|4;ruA0_~RfDllBn(qGH?ZMW2m~hwPCuj--$<-(r85_<(ylALx
z%VxZJ^Ja&-wn;867#k1gi$X6g7V)~q&!v*yHjJP&qnYGbws@IXDw8PDZhaX_E#_F)
z#QNkwI)KjeY%ZaiYcrS^ibI*3GA66051`_P3pDwLz<wc^bk+`Z6nyb^=wn#audG@j
zEWkFuhBncu*j=ZlTe0IQp)Tw?s$U!<-nAXpVp~AG@!lML&i?jXIkC|4Maq#VffM+x
z#NYqI(;Rw6!}@3Y0g;+2^Ul2}4eJYI$bZ>Q8(4EDN9!G=Q^rc#2L|gI2$xriX}Sq<
ztGWnm#_!m?hTdege^z&y8k+p7FTIl+IMIbx;H{@Wte=)*kiX}F_S+Z-W9J0REinZl
z{etk8g!)M&R%X%s(Yhf^i{wi@<7;0*Vbb^XpnHaSCfJ7QXT^oM#OLu#OKhec9W6QM
z#!BNt+<3da$ayqe<0^-^LFC+^lShwCY$uuE&c0S1uvOXV7wLj<>#>TI55y$X%`mNy
zJ4MiN&af-OBS13<EwLNZbmh4Im9!;P1nW5cpMx&hEahAyS$Q^bZRNHx5Br_IEZ?&I
z<x<K&**{f;f$V-u5*M}3mdhiCEXfY8LsFwY9^NAhw?g~BUz=+`wCE1^(Tno1+5IF@
zML56H&U<1XM&fdCCXVwfeG$&RexE5m|D-#bHs;UgyEg^!dQ;l6xKM{<%cM)hy$_@K
zbKA_OCi{tvcks-_${No|>?T&R7J<!_KWDSK!H1!q3kMuBbxU8{&@Zy;GymqXf(4LI
zWTru4k}Dn`yC=>4E>;GAdsve4Hw@<EEv*srqKfpe|4Tr}N!WafdNs{cx;BM8i$biA
z)2V3<3)2QOdYjM8r?o_|iBBjj;Fmk;HaUz=w|sOtU(S=M0rHiR5&-yN<YQMoX``13
zAV=jOg{h}!_?9<sj%!@$gc{kD&BLTEEmV~ab*Rx3hmT{)heMdrT6r=v-cZqWNDuY>
z-nQ-u|AO<Yy4dzuDEY#ok@Y}gAZmQ=G}%5B1b$4<SV7B*YeVtu(f4xR3sCpPOB2&V
zs*qXn0^_T0Ru3GV_^2CtkNb8fQ{N#>-KbQd8DJ@hStwBa4^uj+n`yRHalM64#7f4o
zNf8NLVdbud5@zDUh~##_)7y4G?S|F|?Yg<Qvcz+>!Z$Yi<~LDyq$}34Z2|bzAnQ-Q
zqjSRMGkW3ucGWC%;E*$V?U?rU<zB|}g&x<rR{mMj7c7j!T+ib2U)`UBNA_tp!V@x^
z;qC{&W>o8Mh$#z)6jHZnwkjj3nt(rC!{TacYc({qP!KT9>QG`=KXK0$9kcU`rS0ED
z<Kqyy&~pN!dZe1}%9CZbURZw+*jqZy+*)>`{UXk^%^C!yS&KBcBpKhj{DCd?Wfizw
z^&MNevH{2s;5!FfWf~ht&jT6eW#Qj&Txd$E<MI1q02ea5FLy9vrdm^oUwB<w&Ug|v
zdK~9el7w!@XT|teed`1D-IyI=O?1;0HaV`dRf%FU-C{Q~#Vc@fO%e(jFz<^Ab^(ya
zJ3e2>SI?7fspwO&`4}0SS=4f8<+cdc$+370{S?x9kSb#%)pkj+v9xKY7@-k7AGcue
zX9y@qm&_u&{clU15=lF~rx~_WvJ9k75?tVJY2>@pcF?8k<L4%pJMK1uKIM*GS9qjx
zimL}a18x0;yiu5}B!1_IpGN$Cr<tm^KFFHKA)aI!v4j*_qTW0hP96SiJ0ynOThvq1
zr2w5=`A^WAahk0ktHIhw6_Wasax6*J$=8SLrLd#jBFXDh03;X7^a#Uv4p%?y!6>yM
z8nVO?uFFIUW=&naD?}v}D3Hn*YI3y`tE(YiYd@wvfKqF_9sJPY9v33`uSON?nVrLp
zaE05}H^4><l15?B%t#OGtSKSz;k1GO?K#c-Z}}1bmA~b0`Hj5)Cx7kz-||;C|8Sbv
z*uEDznse_|tm=%A1;eF(Z4Dxxt=ePnR(0SdDm8s;7Tc?$K<#tH_BYQ_U*n`Zdgc-Q
z6cCvFt^-{47T-?}^(~t2qW=AKOS53yi$~l%fvGkUdAm+{7EE=VeDzk9H8%2+TD;5w
zuraOGGnIcn5CWwvsY*DtPdKQ~;0S0#viDW41bc4vCumE^Ip%e6*CZhvYw@G7Qe&eG
zipm(E6S0JEtu9st;UJQ9ERz<c070Pal8yuT`D$#SQ#u^N5(jlw_Z>;al*n0&*Ni}~
zcqjT%%exH%D?p*$#?=?_5$V(vhNy41mM*<SuIwW~$V5l*sl)WjS$kWxK@ARKuF=ig
zx;Ie>M^_hgC)Ig;5e>;KM!lj7VEpIOSgAO3msnzn*%@LjnY6$MOULxy*X#%qI?A6_
zAXgm1?#`<_4?sozmhraB@rl?a(XpfIm;?D>I9i<-E84j@i)R-;9)?d{?o+hx87DK3
z6No62-d)18&=U=0UEVhVse-leI6OI~;ybnt&uN{b9E!5qt4lAqCl2fhpz$7p@w0g5
zcfXv#RG%9Rjow)BjWW+P6smA*!Rwxc*KG`dc!5h)47qMyd6j_y?Q|bqGPkPc{@gZn
zJ2h)rDn>_N$w4x8-boAhA~DliE&BV3Q5`;bq@3yMPIgFp<i@V91O{~L#leEzN;mzl
zhrHRITIp)VJr&~${g45(ZVfhMs5{<GSHCf&unja^{&Ww;FWIPSZjZu}_LTz|;?xM*
z5a)qEpMx!;i`u2e6n+jmN`wjE%2Hus361i@ns$M5fh@W@UaC)UZbB|bRl|u;u<?{a
zfN@|;u3AA1@olw<$#@YI6wE@bw}{WnDQejJd;nrliG+-P7eR(LY}4xdDRLhhgU?34
zsxp#6Y&S9;sy~HhYN)?q(3wMJ(7Ei0ehdRzM*C`)K@IavB-Yh3?D%#-NN5NL!2h&$
z(BJb1St+ii3&8A1OgkK-zJd7jEI0G&?1t@}>b3N_>f&QR@mN`>Ip<wA7GUmInt^s%
z6BCApet?HsWq(SRs&AmyrePpnDuHXTIdq6Si?8B&j|j=9Gd&H-vJx$Xp=-H?*i3T7
z1QV|f-$H(VVB4d{tb1TqwJ|QOX<8xueZK}9#!i}B5CL>v?_DRydL0Mku_=yJkW2Q2
zXHyM>30XV2^$BIgwo^x+(JPR8pJB_qn|3i|uf?AyhK;Dic(#NCj1)T3@|i!M%LOs0
z_i3@79=%U`Kd#U~)Ee-q5b&hj1M=&BdLmfS>QYVbXn>S|YE@6`u|~LU&SoUN74!s5
zewro4PhE#acS{v#e@upBM`|K<cUp12Iqc7$^u9GZj_<CL<-eYaHNZblJnrg6?bput
zjKAy&%Q&8YY2xS#;wXIE{fPx6F+INlF9fTa@6?<~07|Bm-5j1B5dS^~>B24~&7q;<
zOtu>%1h#E;O#e09YL#b4#!F6Ej(K@bhHLq{X02|3h+yAiwc3x5c{knJ1vBZacmXVy
zyz>LLIe<44-sYM;wF!k^NqR75g<}y<P{5K(c>CvgyyFO?!)gfWM<l*_3eRjPJ_tX1
zsrJnxIJd+tT+m|#RXa<9`@O}H2coZ=7$21AdgmE%)VVM)ZWQ$n+>V9Z&^4mgi2vmk
zP*Qdj1S^*u-<G;~XHyZu6ikBZ1i${OO!?DP@`Y&$Im+%6o#!`GSDK-cw<e5*?9SJx
zFGMnm11yrj*?H`~eew4Oa`Z=@SYfA`?;#`Fn4wY@P!-z^iVlw2NBm~JL}%@AC|?G&
zJ|B7p<-`Yh{L*Bb>}4t!q!**l$)ulMwGqc-3yEt#hr3G&^(-)E?j69uYfDFB`s<-<
z$7b@_?Lhv}om&T(8$VWfp5_%DyM4%QqFWaRdc6N&bd@kFXmd36+CMWt!r*_-{C_$i
z{$zNY|CZl^^pE^Yz6b#PUc!INul5u81NG1|vc_ath8}4>LVjw7)5<6*@`t2sYiJ?f
zg{5v>GJ=}XI>r9Tl8Hspkw)f-u@eEdbakYfQB}>G9%JrGZ_40ZbKNg{(du;PTRfet
zAbaCW!S+z8ghRdl6656o`0Tvr%F}M_U;1K>J{v6DH%3du*^lVSlua?x+#~+#C^x5f
z-Oe^#tW>Y@knp%3{-X@zbHe$t=lakL`@z;JRT_dpoRUGBN<67Q6>qpInYh(j3I+7o
zVqI7_q1bv=HcwD)Quce~s3lb^y%Z~Mj?uywd>FROnoD(l#cKtnA?$#2Ej7HH&hARL
zA$`Uh@oA$!>@+cIw4fpeFGmaF{pzJ1J@?do_#GyG60ud*t2}XS(CwO*IvWP$)}|4k
zz+5B$s2(_GsRxB7%$gMh5(){1px44O?-GZ+_v8~&7GY-4aWpfb$OpLeOHya=cehu*
zGwon+dkG4ZuZ3!P+lW>awmSB{Z7&S!;>$3xcd+<5oxyo>gbuA|k{BxO<T%62Q^qlA
zT3);+zFj0e0$!|NxO4mQ8=xNN%CMof;@e3F0j=GiSH*#G43M931V1-eYlfF&STXqO
z++J6%19<RImKb>CepjV};C1Du{-m=cqZjWfa?G+Gy(1|6epVcM@-S@4A6y0>Rv2ex
zS>zhXvQGhY_ZB@Mjo>?VG9Y$|yl7VI@ND-Jt+T|1NBV4|<4U69YXFZH1h`lj!_G^s
z9cZF5_Xic@JS7tVeVwv?Obn=CLy17dEH9JVX4A6ujX1)q0mpZ~Nf{6uSYJ-4;y~c=
z2I9~9DW%%COoZKe-v^lMDFi&wNA^1%D1Pe_58Szav`}SyADy`nB!8)=VMoxQJ&#G7
zEkBvXROl{nQg+eJeMO8S%c$+dZ?>fuAt&|gnwCt@<|pZ_m$XJ@jOM3o-u|VsOB9z2
zE6b@)WeVad?^nKb=<Hbv(Z<O_sMBX<@{vF+CIto#kKpDHd*5N3oc4$czi4@r@wye1
zDWDFUh4;y1^LD1e<`7{JpLa9q=^^ebgi&fn8SP>BVa24@boPzvCWJwK_TajPV)&kR
z(vVJaiBc3XzpU1pojeZ#Y0Ml;LCz&Rz?8)oc(UN9+TY`>Io}N%^hb_*9P4`|`JJBK
z!t-k<ibVQFq@D14k?SuqTMqMoBDI>DO4}mb&1-Ai)sqUQ5BG{H3&q&=e+~tOs)N54
z@vW+kz9pGiowQ)dB-3y6vl)AjBg&N5-mH`~bDt9OG+9VCz0b>P0FMs5*~#*2^-xDw
z7v_5B>-CWoSjMtw!}qLzC8Ix0l{2cie@7oA-*jEOIP&()YnPo!056@H8(+$~2nbbT
zp)6pY8OZda`FQnFawf^YjMN5u#_-WaHm|HzaRYbzKAV?I$_uR`MB$VEjMgrW5_sBH
z+Xw5|bmfB9_ihXAqe_vj{O0+Uq=A#6FRAvK26nmI!*A%<;Nv%WHH<peFh#C8@LF>L
z@^&^apP8At+3y=f5y>9U5jzpJE`_W>C?C`7<_5;W`BJ>*LcTS3k`%*Y9htlkS}V;b
z<3RcayRs6mP1Y*K;a^6#tROUo4vH~qYTu?)2#E>`)(Lb#4l|ja`Rg=f5^qOYj|M<q
zzIuM7lG2r&$;fFA#Wz0yx?ddHY+M^;0s8EU&zgFvSs-m2VAmv9`&vH3k@zk^e-^{4
zSEVp<0ANgmMuaC;f!iPRSDGW0PPNK}bH~x88`xv?*cxFCuSh<*%;iQYP7no)3DGyM
znRdApsJP>Bni6}p`i{aSmF?TeGDna4)}SDA4G8i?OwdhOjHsoJ?Q37M7S;MkT;E%q
zwtn0Sh`)puz^E70T4pH|-^^x3lD5`k@;4m%GVSsmav1QSZ#Hgr9k?sLPuDNkR8CpI
z8U;mNcLDTavFo7db;x_{f8=-nZ~2k`mA~n4`E95FCqH%M-|}BHRgToNN#`y%|EzUv
zOey_3NA#Zf)ud+^qXJ{snvEe#R?<qMSeS=3CS^fh2GNxhGLV!TBr~!Uh%*>nH|(y8
zC25>c+7vrJ4<^%7=+#;ATYMt{ACys6;JMR$x#-$z29s1;n=1_+o9~I5TZ-RjX`xso
zxHRZ1{isrj*bTB3v~S#m*5#WWw@E@@(jBxOFj?IYL)(x~Xv*#>;9C7HnN1@VX_UcU
z$q9Ett95+pB}hejeq+xoV#h2Ep|1pyT)GQ3O2zn8EC7d5v97Du;-ChiK-Cz91Zci3
zHo3#fKZWco&(f7)_-#d52+BLB&Ip@LQksV|iDn7RTgP`pJvmOWD#SKszUKtgXK{0%
zRuqB_3nq%`xM!_jaQ~XRQonE*0!!PjD3oB%FL4O*61I~WYnf={xgr;B349htMa4X~
z&b@YBO`sIL24<jsz)k4&Rq8VRxJ7KztGdJY^P_*T6KPj2n!up#l=b))2k}!hc;QX!
z_aaCqM`aW^-z3ULC0G$u5cdk)LPb}Z(MG&5(ee5(N(CH7);dO(7<)666>U5x#MmTd
z_I2Nof%_C7>arwyWDYa`0!dyBi@dKM&BAC~sw((k)rhZk8ev}1=G6Yz?@KnG#?+Fr
zs<^=<1k{R5yR5Lalck95<-sMO@5LCg@DI9*@qT027I1z@IPbhk0n+ZGkm8i0&)G6c
zW`<H0$ysl?qyVyJ6zu6j>Fd+OmxGXLlVn0Oxve>VaVaao>YvbYIYm-M2SyRxX@RmO
z0;M-sDOt0CEG8PGo2gAEL>UMN5*y*=_G)zDaWINa7Z;7Z(HJJV+YwMj6LF{Ig@D_*
zr4>sx{e@5@N1482`*DxBpd*sh(&?a|Ls<r&-n-<pEwb!2r+8WcZOA4a*4oJtm6leu
z7BBbc6B68%^!%#FI}JbP84nE|o1>wHsYp#SV!YoH1eTcN+9HW6s_st87|v<gqR|E{
z+#E+L(YvgYE8#`@D3$(P3C*oi_m|%~m{FoMOvwaTDS8Pj8q|;&NVFs*#41Hgq~+Sy
zhNTo{08B<7@h4*$D5nV{nB4lHAb0bbq59z`^HsPcUDB5Ij1!Yk=@Br@MmV$m;?eBE
zO|yiC>2rsIZZnY2B@r4=yy<P0AKK;6A@Xn#L}KC^^$x@R!5$0;S!sDHal-p2z3Ygr
z_HlGG*fa6c@1orPgp{f#^8~3T8f@lV#7TSZ@z`>i(?<9_Sps`x;?`YPn2P9RKKH`9
zfhy;tl4CwG|5{R;171=_DyZMy#<htF|DahEh$l|6T7>^RTvbKQAu>VixD0ss_~E6|
zfkptEW;=Y`$0LzkOpYkI$A!Gm6CPB{Ovja5wB5*m)-z6Jq-qS7AQR+kx1i|-?y=~B
z76{T77m?r$1Y$}JF^W7tp5Im#@y7O?tbS=avTu->?6-QGfK1^Ju*6$jm9J+3qk`Q4
zUwZcBI%usT@HwAj=L>*5IZLBz%xEiB`8NBro#xEdAl%(YVgawSKmE{e!>K-kp<<E{
zrW#06|7Y#W`?q+Q`cez|l3Tjd&PMluWm%L@H9$}08JEN{atf{LByclhi&+BThTmxc
z8`@Yz>U`(K-misN*Mjo2w><PXh2=X6o9kmELcxu2dEGu441j|lMxlb7wTIGL%;cS^
zv~VeR`->HRg~4~??*bQ+q;w;A5T~bs1SI7j4)qP`gsKabLjxkf6g4V__v=AJXb|qZ
zYvQR`!c_EwfGV26N7$<E8J;M9mSl9K`yd^|I%BM_`JRn8genkNM3>Qtrk~JYn$$^e
z7eV{>CPR{{9&BW<)8YZW7w;(F<Sfhl+$s^O+*y0h$c?vAqIM+<<dH2mLgSN4T&>lO
z8<6t+=6oklqUQ*(O<64vJ2E+_g@^4t;+GpUkp)7N|H#iU^q(_7%D?hA{w=?=^Z(?>
z*ZEt1x!;)D5%kt@7YXjloE#KJjP!c4mz12JIWxCU`=#4-Zf-p<aRc>}iA3yunMjwp
z(B6HX2%QZyng{t_&oN4k3n;aYWJ|;(&^J(PXd06TZS1n$r>H=i7}Ht(?L>nj`h8PG
zD-~11CGxr~l_)dGb~>uNp$!RFSdr8LEP)dy%j6Bnjj^#5{Gv*v_M55!Hd{>cJdse*
zsW8`QMkgr5u8_V9vaU_$EB@vlIn*O$<1ZEiXj$WF;L8~sz0S?e^gh=)?~7~lP2Xki
zQF(Ib5I_!(icbqBCG$I1!i`e^#d})w$%Wb1jC_pu$Uk3jbD#0hA0rTHi(bICblnc%
zX)QF%it36Ib`iw9{K}K-q~jVUH^U+@_HeN;K@1CWm)uhiRqY74hE69J`Bh4<O)~Ah
zt$Sp|kQ9-WIbMo7U2)<{F4CDBeTDqzb%Jr93+|-gF6BZ*7LZ;vo)VH!pU`fF<}WOb
zm`!V;e^{Dyr*Ymkrc}^20f>Bo#P{nTmldj(FUJd+sM+q^gtM-9Bv)h9jDZM$St*u|
z5pAzmP14YF$dbeBD?U3l-sBiF!Xy|;I#?47|5k~9neP(*oQ~WIGmiF^4gT3e{_XKw
z$2Y>WW<y62#_8dj8t6yzbG93f;3IhH4Up*rkkcX^@flPMErr8RE<5|p+m9$s)F0-w
zuATyQ{i}8vb2j^C3#UbQ(7#&k7#U}*r!#`~{9VDFQF3#Qy^~Ha)~EROtV62}gi8%8
zg_nT~CTSNsFcb?)fo8UuSQb^9-Xi$Ts7o<oVZObjW2Ths-bd%FbqEp0{i7-%Bivu{
z^DuWTD`-$fNn-BAn*0_(S1p12u^T6W&}>if{JjjrodGIxob5?@oL9AKr8ZiN9?WvH
z0+2Vs$t4s{Z)$@bA6oO`!-XYLO=)Z|zxEh{vSK=2Ev8)Ua3!Tir?afT52kQguw&fC
z2#;V&fsw}pev0<|k|EzF1ZAq%Hc21}phr}-NFMW^0BwzaaUX2U-DD^}JQit(4^7oH
z(hw*)|7F8aTOrJ))JlZLcCEa0mTm`Y(Upr;y>*y)G6(gZrJ1Pv1mAv}nC+Dntag_0
z8{cT?tXG|=(qcR%Xt{HX4adG^5SJdoT2H-0N5*!u$+B&)J3&<y&*7{y({x#ZzI;n+
z<a<gyi}o9sNr2Pw;ZWCB|MZ4jhzq9Y&x+qxX8|hmTp)RZ>3RP80vXg#lGsWyYz1Si
z3g1ZMOu5jfprnEB_TrXK7*;SbdXv|48M|6YzYQ>H;dEEI`c|OewhtRnpg$W0svXGl
zip9z$YpIR5WHUTFv6GQC4?yI|63}c*ww65wE4665>jLggeg^5<YJ2hLH59y@?F{{9
zL~Ml7d*OY8(D}SjR8z*6q%-Ef0kNpb22ylp+qGJ}LqB-eu3H-enqDR{mS>OHgmvWP
ziMdF#bQ0<&{n%ZZn8jAt@$wZqZ*3F}NMELb$x?N0iM3Qnox>^V1`5MY(pEO=i(r)~
z(DcHt6%hm&au6k?cO5!)OB1M$Ml<NABKYmTQp#~e-Rc+FoADJ&C5}2iW8)pbF%Mzi
za1~QaSx<b3#6=hZ4w>5v{S^q-1p&5@>ZJDaj!SnyP}qv4p56v`i4gPAfDShxRI|Ss
z(`Tg~w^Wi!C{nsG?I3)BI_T<Y1Esq%cH#)*qsz#~@*6zOP(163T`_q&EG#SXB}qIv
zvqaG(?K&|d)EznUhJ|4~5T0a~z}{76$Mr>yom@N8DfgF!Q4B0aR40d?W%8Q(P?X<q
zV>u1lk-b1eu4{JP3HoZ?O1g+>1;mR<0d}=5tv71*u4_w{3cN};4LWQDR0Hl7<n#6b
zK7Dh&Vh%nwyWFNcW2DuJ)x>kGufAq7jzRmXw~r_j`kO2iz4MnK_T#?4xr2|5QS<+i
zfAPQNNBvj+hQH<a#QUH8PKkfZ4^60^YZN|tcgz<bmP3vb_)Qe;=QHk=GPy?vam=fV
zqO!?qDs>Or%Q=URoT!&NW~zJhETl@1l-R#Cn+)8TG%>5h9PwwU#_5)C;-@eJruK3L
z8O`<F8$?0zTU-oQ!>+!yz^56^!@mYtzaHK=8P0ojt7Gvwn=Koc7Em@YWR=22@ALC{
z>#7CwKI`R1{awA3PlPSSh=(SbiIkoDxn{HK^gtK6bz3K_EK&i!s5Ul70=pbkr(YDb
zg4mTP%q8;rn+xd(yTZ^~>s#OL2i)0unW8LpBsu|-7eGT^bnI`tg&3fy1akwgrLpv%
zqvG+JCRmc2{T%&v<BRiCTvS6SnMc22iVOe;V8S)N-}smjICL-te39dkirV<L#a!mA
z5SBQ2cZl``;<&D@NVxO+uY<OxgCVOKsvKF!@9}an%_cqSqRuQ<nl%XJYT`A-F$NK(
zd>myh*oKygn`8d3y}N#jdhh!<4pJhubl1|c(zy~6f|R6mNO$)xEgdf1Al+TU64FRW
zxHL$EfOJaUo-=b@Gv}VU&(HS{{tr8k`OJLZ`+9z7(knUgA#m*Cej%V@&y{*OeqfC0
z<#>XQm!{N+m2FzCns3k#JpuZT#*t_i$Rn!P?uQWOniz<wi)8WqrgF8u#2S`>sZMQd
zUSo0J!O5@saIv9LAy+>Ut~feQKV`AkLzZaw{?O;Qo`hxDR|HS=Nwr#JN&WomrNc8$
zmc+*#J~G@izxB~M78M*Muvy~H(}(S;dY6fcv~m_m44rD5ME6`uwb&_fjtu|c7dz~(
z6J<|W{UN|s81X)iAo@Y|y2VbDoG46mvg@E47H!rCLGj4W{6*PciH-fl&_<8?nOjtZ
zN(3k&n0g0pw#9bRZm(cviu!7VBcW$iQe*0Yvf^g>^E>$sR`3p>M(zp0{?qC@W9Y5!
zKFgDM#r-;20193ZaPHBa4VYw1-#T*v>MX`^m=}u#K+6rS;vyxmI*4xD>{8eo?iKai
zN=@QtK5+!vqq0XJIv>3g6kUx~->ouC1l!B{G;Ac?^IIi?47uhUuwsfYVC-Kw#k1w2
z*^x{%KdFchuX^4$eKF=jjrS1WPpA4}l{qw=V_cE%P?=R+{sdy-Q$}G_7R<lJ?+avk
z2ZDM_L6uEl{nwh9n=qt@=5Z)&Vd2}Q27xHz46B|?mnDS-i})D|$1cy1+AQ6V)4`YR
zd4d8a^%V2>!mrybwk^so<Lo32d5H?ORIxS&(-&oo5ahr*ryA4r*~?GOibw(RS!n|X
z4MT!0kD+hW1BDQR@LdY?Ef>Cp4K;K*jKdw{ugM?OYaI789jgtmc(O7DB9<NKkC@Mr
zH+T>=T($O>fFS?X#~cFDsq$($7w>$!4=6DP!j|^G&uBPgryUG=Nsew6YExug1X_*w
z?q~RE4p`&TtSxN!&I~>iLTXp%u^DcgO;Wt$8G|W7>tc9Aa;{s2Vjb4jiYz$}6+Yh&
z>38p^7d0|Fsl^QGrXD|*fXw7f%a4?io)r^hqN4;OKkS0!4uV{%9nrH25$>^gjBVVV
zHTi_cA%1BLc5m2NrHdygBgTmp=Tx^+Tk-wLh)9|AE-TrL)$C9W-d&UNZqX3awNK3N
z^G9`VTKJ!vTXM*(vHG(Y_;2bH>1m&7{HVI3UF(EqJe*B!S3`v>AiiHwi0Yd=0Q!S+
zoYF#=r)^XjJyLgZ)kQjYL8B&4U0Dy`oz!ZY>Ve*@MKnskZH*f(`VtN4W>7Y{@=W)`
z>5L%4B7#g8EZ-VZg;C4AI{Ure@ACWCLA)Rt7?ny9(W(*F2vIx)U92D*t)t5C+^`_*
z6;x}A(Wq-lo`&$(tPCi(@>V!a)Df6JZcn~wftm2)y=B%-EIkp>3b%-c;>h+$=(e%s
zQ1b5oaO!4)j}9Ot`CD{hsLtnKF&*P1-VdU)|GW@Yxdvi|($nYKEHhwvhE7ur=>SjU
zE18m>b8>gK#H5Tc2}^={Xntg_AWaAt=uzhnz%qge{*qs6;9uYTB!A0a|4;dY2L2=e
z;s5%=>vOQrpC^;JPK)xbE1GRD_SGpzdNQ2LtmN#)=j*uT#+7TUN&<WjXGWSyo!h`j
zS<uYXS{y#6a;A7dWe`^P<_TTwV~l{{nygI?#H3=!=?k$gZjbyf>4e=Ex8ZDr3R^s<
zXMpftxin#2Ti_WTfmE<QI!GlSDgp=vLm3F)jq1rV2hjVFkRQYj`b-M}>>!n8s@C5<
zWkx8k<yzc{c2|}+09S;2)+`ieIIrY1oP0OkUMJAJ+$Jvf6@CsFJ4>*5_)doXnLT!#
z;Rg%;O66C1P;ny79kLIcILu5*O20KjMyMcgDZQmYJP{asomx0=15S2(>^BQ0Jq#M7
z=4<r#u&Pj?mi0?5Y1EMn{e-K?-ky8*gkL8icPkA}456UcZxsTPqwjieO13$J90E{L
zsWqk!yS}oHtE0;qM=&5b<2X^TgiBAaAIeWBPY5(eUy(IAzMpP7^m=5|Rgmqgz(I4S
zXwv4zZ&+>CA-EeF9uUkc4=U@{!>+040$O%0w>N72Y6!v5*Rn#*XU$gkhTh2=7|z))
zNW_jMt463+MmqSSHfLW!r&4fyCzTu|HQ~LMZ(qACPHkl&#=+UNrB}7~ygc1^S;B;^
z6LJOujjtsNE*`$OMIR9F<T(D=puxK0+tvl17YG!=*9V*cev@z#w8hg$q%;24WiC6D
zLtAA;Blmi=^$F6+9u%2SLU-w=!?fXFKg^@^5^BkO%>?Al+e9;ybs-IxSbC4G-4dkF
z3XMKn^e;{zoyAuH>NNYA3_n;mfc$+Kg@$#~4|qht?FTP6#cf18I3hN)0-B{RKiD1b
z@Ms+7QT8G8zL*{MAzJgcJZIA#DUAk+{;>T96m3p|qqZ1<-MyVS%~pO^4*Bw|_fZIn
z-r`{Lv3{hWK-g7>G|=$gcPBo@*cg7<k^t=V(l${sP80?OsJ1M&dWQkFa;b)AB92OH
z&Vx>Akm((+(B{(US*R_>5fTOKV=h$K<4t8-XdzOXF}Bc|rGzrk^w-MiB(q9r9~r&I
z$U+g&6WF{gX!B#MM9!|dm*RjrAqtT{=?4i0GP?>TWZX#*Pn^N<$gS_qV<BaUsS(lu
z>@Kh2v(Vu5i!ZpOTGkNv349c{DOa5n4V!i0_n`N$l)|+PCvz^F!3p<ft0=SM>q4tR
z+kH0;nqzFr<;%ITCJ0o_h)VEsL())#Snizlumz{*-a2a3A|igw4o+G|WMPCU-d*ss
zO42C3!(C%yHcl_`Z8J@SLf0@oh=j2l%76D!gl83FN%2!x7}g%MzOB`#S&#kC1L$89
za9sJ7K%R!MLx##VSa{z0GyQcS)5oac?^AC0zn617NLO)kgq2rgluk~OyQ0UJvClp}
z;p0pyFXua!dl6VzC)4gOqw!5+47$XP5QrjGIdr}Mu<m$}S?=G#EzDMbIhm0%>ss*k
zt*j4&HmXzO;vOa2yCi_wjdYjE23*EyYTPW`cn<6Wm5mH!q9~wKIfcy+ESDY-TjRg|
zQh^mzHH~~Qc!sm9+|5{8={b9+_IvDt9#@Kitg6v93wRDgjz4nkwEY%X#yEhJY42=R
zpQQh5!(cE=FqAo$>0Gh2>Q}C6=vfE*Wn=y%Uem4m{z9dtgWSGaq>%H_H$Uz!E&tR?
zw4OR)GI7tes%2CE#-oQ(oAb*L8{fgoEc{=eOWL{|_YgFEdi<q<{x*Xse9n)rXjq9Y
zPE^AWYF$vTpN6wQNP4VtvEp-|EkAeePk~3VQNgtDHB-?fS%1GU=1CF|sl3AUZeHo_
z*_>gxhM5r8*Fds`el3xyg81w{_8Sbg%X~#^pp8MYUrGOgz8)X+b)IB`ViZEq^1ihp
zK&-L$L@BBwe_|%f*(wh=q0v#NxNYZwKygl`FvTp<=7QGt22HqaoN>2N>PYfbUgR(N
z)Bjz5(!b@e`=|Wjj{lLLrs1D&ek+4c)^zyx{D+mnfNxyT@r^PHh+DJ0TO??sE)oTX
zgKJfz`^)GVS0r~vQNI8?D2hH{(F(;5laNJQSM<|K5G4vn_1xERQ8N$cJ0vg``I5V)
z<qQ$@eM!6`O4$9X$%rGfC7MUeLjEWfE;h?8wNm!D^0g$Mv!lWdx3$1D^-4cUn$>s-
zDG}WBK}$E!&4n#EjJOtoFsW^vkm!Gl-j<n<VtZ>`=}+XR3cU^>Upth!!!J?oI(mAL
zZSup3&+e&UyD;X?{c?Li0x7sh+v`RSw*!?I7pi^yI-5Ag!gng}1vJld1=H!qd{S2!
zX@_BYG)Ro{!E3UMSM>#Z>;*-5-m5#EV6)Y>x@oR&i?J)fE~4g0TJnCm*{2#T?!evE
z;uF98OPrp#VC>O+Wa?UpwoGL-Cnp(xfbIO|tF80*dJ8B`T(5J}-jP{%c>wtodKjda
z&3KaMh{m}3-t=S)-y}+c-?ft>m3SPs*fMMohFVZ7s=u6L;&~lgqF_0KYwnfOi$7ny
z6g&-Vzn|Z~iCMKN#IDBBdc}cU;_)Ir0YYTiy;ScZ_`?+IjXz=@4=yrczNSDh6@eFO
zJdUkq#~=HoAgr={JnKU24e?y)rLbW_)R4OE*3!(2J2V0=hUP{%!m2PTHoH~_w%`Ni
zv_kVFJiksfGDuou7T1T<YaVD&g*I#Z5*`!GO`6MD!02#*vWGp+J=tyu)1$Ss_n{6m
zS%{x&;Q5o-i)W~k<ZD8=k|-T#_>28X;(212$b_?EPhFS&5<^+*hZ?-qWJ;4`pCG3M
z#nUUes&n5-k+S4G&gCsD=A@RAni2;dOxXzG^29C72;SD1mYQ7bMn4sfZc_M^7z9j4
zK}6-!unu6*O~dgM<E%cF#$%Ljr(S<<8oBz8tBHoLkzQU*XbTu4i&Ofxo;cjAETr_3
zdy0ff+KZuH<;;mZGlNb&^VrkRgkAjSBmM>Emau%2Ux%ohGE3Xg$Y75z4ju-?xi_ox
z%fO4Y&<X&@ytvMT$aTci_*OYLv_vv+WUQ?a^dTR~o4xRHJj-nB*TjVycwdOXdQU%V
z%)Qv7P_|p;jdYmH$a?>?&$W=+XL-qO))<<1T<@$_a1-GtKj-$aQ_{<JJBvIBV}21T
zMlnTVYM+Pb7c}CXAC)R=^Ive)d}7AdDFpY4M!px&)$39@{;*pu{OK(X0Ys<LFgnxA
z6zanSx(A64rpxAzq~<Jq4AqslDWci8FIVau5#tqILdG~xz|1nG$rwSLsABuOs^3Uf
zFremc!iZ3hCx`2`hNC|$pJR#lfg5e)==^u|#-_=`zENpKfjz?!Uu5P7N@s(fv3h79
z<m&}h%6?=D)%a$HFWzA>XKj75)>)G1v~zf{C@!~dmX2ak)WJF5h{4!SB+gX5WJq%G
zBkakH^js9uy!Et8&YdV{Hdj?EqjJ~aS@!Ir>q$tn<;G}EFpK#c90u&O^*cSMH*C&#
zRnbqLxzBnZSkJLX9|yT72Vx&-?|Ml{;6||5d<kfq&&4>rgx-u_0;#aYNW*0dtUq{;
z(?7JYA9`13dE^Q6Za%2F7i2e%s5nPtu(sSR8#5&^4##!ZPY4%P<CL9l2S<OwCkagh
z13rp06G(llf-;O4<AF|%L~<Hsn}%_ejX(O+KuVN}GR&|@-%J~>_bzkTxVuY{U)cCI
zkg=Z`R`n5VrOEJIax51g82*UY9^59v9DeaL8Ou!F-<bcKA`PDPybT}KZWYBiO!nrP
z=I46|j6O|#%<OF$ZM}~9kpO9^wD(av^lh<wrE@6cyZ*t?<brNBN$eR*3zW2PJIzpC
z%+U*UPOdbdq2DoQ)KxN@(Sx+=q3O6hriuqFCgvR@Rh)U7oZfSnU*a>V6YYo3v$Wqm
z?MB7iLhc4BNjJTd^=>Qf{!4!9!GC@8ll?7!?LXy@CHas1nyvqozh2n$+xpaKc!RZy
zxtg=-vPKK33g7#LJWQtoxuN2uzsEm1Q}Vu(HQM+G?4g{^>C=vkYTcDC)^)cPmui;3
zNSrPsxo6d`HvCFk-rde?_3SOL+EWz80jsszc*fqVDSuPB?h4VLQq~NpBL$fX%NTqw
zs<=IWHvqS=CaOK7kqPrukZ$`{O7=Arf65;}#w(gTwL+e(9Om*o8SG1WQhKAa9De2b
zf{@)e7Dq59%Y>MZpex9>)}E#cj{{3k3*F0~LW|)%<Vf&ikgrBa-)qo&(fR;&V^!8l
z*>iKv@sC`^Hm^KRFsbg6>Spb=iQ$_F11ps`Ne+~jZCTjxAa>LqXV@>KzWaQ9>O9)d
zg?V(FtN6qX$CiUBKi_G$a8AF;-P1LpQAs{k-#YfEtHI189T*wjC#};o3bl^Y@XrRi
z3HD1SalSOU0?C}L@})VT3qH_)8SCZlJ$j6x$2v#DvV17Ak_s?8JTYuHu?8Ufo}!oh
zzMS7uBAIuP{oYW7f^?sjt>~}Js{+SeDfuvW9}^RpYpl2i8E9WfF3))e(Scn}xUzT^
zS;WmGigqI%;@KUzLwv3U)eo<QKPt)Hyim9+Q{%RJqv)GKCo}NLH;o{P7VwI6iXfZB
zA)mYNM^6xrfIp7$>VE&~8GwF3+kd|>o_(eSL2Ez+sjVFzo8hu_m7(Wi3ZBm#FDq)E
z(GoK!gXcrjQD&MXaT=sZmKbu@0fI&VY5aiH&jDhx$GtZDze1Z;&^YNNk>3b5wQVZL
zNzLx6Zw9EqWw`Ggh<#wrz80*+8C3;l8;7`@66|Ud6Znr%RO;W?HLEyvS<YD+pam<6
zMvjQL%nW<t>ejq8b8@d<N_BV3+7A54n6F|u;fiS#^q1+7dM;94zD`03=qzwWwm8il
z5lkhP)TRjgNF|`n`RIaJ;$;3g-)qjAJ+|c;5}Y%&pPs&0%?-qioLF1i#0f<j9Dl}F
zS&f-GZPP+4G5sqLCR`A}@A$@DoS8sNmB!2DIkudqr($ogzfjC*%UW~a$2qLo;PxZp
zd99M?S3obysyg0g8&LCe0_ZtQKkJo7*f?DaN*CZ-pGvhbFX(k~t4i%cNt%<pH{py6
z3#WmuLBuJM#d1n&q?LjN@5?GpPhylvXR0gOTXGDWH)B~fP3NTsIf;*S;3dr3XM)$}
zPAt|t5C9eghrvJ#R(mBH{+Z+Z@4rC7FG`783Wc{piX}@*o~%1|9rYsR%Hz#z>ke;X
z@JwQue>Jw%MiK{LkOdlDYhCED%bJ(^V3N!z5;qUCegBk_fJJ1!X2`I{Bta&BZ@V5G
zCQtL_QHTo<{XlobS-`x)YyRTBdkrgMJi+1?jCr@-J~|Ihm)<g3J{6sz*Xxr0`s$J`
zLxixePYxoh<&e=$+qBN62At=YEl5;Ga_#GBqyj89y}UAX%VEB|5)nBG8-w+WEz0^B
zO<KF6w_n+s=`g>S5v&Af&UAK}rg@&~zN+ONo_P^g0(pM!`H8=Sh0#E%0u1L)=_aXK
z;l#@qvvJR~>NSC={?vL7=3nIIl`wOSYB@7ou*RMT$3b+5OBT|ET*+N<HTTUuOSXHS
z&FSu!w&~(k<#3f_OSeDWVIHiyGt1`ZMixnSoOgBvVN5FO#<}8GDuK%ujJmE(l&_4v
z=o}nX7Xg8}A9^ymR2G@##pc}mH554Yn9eyb@EM9vWXu-kQulZ6inlM!5&aZPW(sQ&
zRwKz40a3pfh+%xV&?sB0YMt+1V!JCg7cHKI39azn&EkZRIFBMCuW}JPl425AN=^5#
zty(AdPET}I(F%0(f`MF~iKIYVesE?^-^{@EaDzDs$2-*{Pw@Vx;|#)bdltP0C@6oU
z!%YX$1!~BcoXX*_3{6q>_-~geg3!P<7Ng?s3^iVP5`W46{@>*%|6Bf=f6AZG`5*Z)
zto|v#$S?cGG};G>F@Dm>d0h|2JDvzxJt}K9tM67vFc%g<)|qeIbdN_wk8sJw0xBLB
z6PC#sh;AEGZwC^d-cz;$anrBdKGxCCS2r<{)EaDKfZPRAAIWn3%_A(wl^VeK3i6Hs
zkS!H29pbIJY+_w1zcLSGT^Z+$6gglC`&*t;t03pgX>o%hdExi=iRb{9&yxPwZt6C1
zsjUt{j1k*da)3ZxW2V;yai}dZ`sj&oe*%^0d7U)Srs?)QHPUsSFGVvMBa%uiXUW8H
z3kRi#nAJt;8012p-!n?~7p-2+kxp}S_B!fc;5cMlK3BDo$SY?_i`OUKSCVM^qEAQ%
z@ej=p)a}du5}Dv0%g=8(#~-CExD_bvn9D|+=f*q=#%_%HJu$^?+gG0V=qykD^67*0
zBFCG)z5d&Q=GLjR9Cea0630`&+a!B^a;Ay(lkv%Rf*RLFzDzsz1{JK*B?*k?R%F5S
zXE+MQD4qguz7rHEjt~~R1=v)I@b9f?VR^uKNJQ16bEsuEZ$vda>mD|EB5qO#Qw56f
zI3DTrfKpWU9%vm3GY^rK6S40UqnAa)52p0pwn$?GRCDS8mXa>QioOY2m~Nbl%HbMk
z9Ap_Ez^%3!dmURo3kfgbnp>nmYdc^&0eastE|^FD@}7sBf7(SkH8NJ)LpCL&CZjH+
z3lU+vz2Y0IH~1sJfAdnAvI;W(`Ir~rRMyVb?=nUC%6i`FUCJ)ZfqEp=t=P#tq|pw}
zkbgNf<#CZ%<!zI_%_E2^x8gh8+6O2F1TOPy3L1#?kT8<Ra;A!yZL6#cl!MGGGthw>
zv4ajf0#R*BLBWNNH$O2MzM#DqT<TczDA+&)DB^%IE*gEUEaMd@qnh4r5N&ybbDtxP
z6gV}Ac@0NzZl#6~eWhD6fCs=2oM`CMzSWpFVpMEqy{7;^nv!ygPB`V9uADP|dQ^R!
z!^x&BRt7X!q%>-k^}s_^cElph>F!~9QP)!+E|S)8OfVFBAA;1G0eV`FhdW<7F>LHK
zOi*dUxFNZ%-F-6`hdKk0Eke5=Faf%89hiQTm=k-05knIt-{j=hlIi=`dl+7T9z(9c
z(0e}jTWaah=~e=Ps1F0GsYazwlq5E@MZJxi88p^mRY;P<I~`xllg`2lWjAtPF0ha$
zp&Ply%Y+AO+Ps)_hug7x8&uf2!?N?-L(XYz_9PADE$z>y7a+G}?M@D{BRV=I!2B{=
z2ebSByyBP^!lMC#o~55A5gz0+DKF+8qiB8b73=6w=yk_TTsVdr-mO=a!I{0WWj6(A
zP2~2ztBQ4)hke|kT-`qqb1r?rnW5{OI(VHw=QE?Un5Dnh50Z=cKu21n#?(3(kS9d5
zSD0um^DDTfa?W7;V%DyJN;<_$$tbg58V;8fqlwYj84|#@t#W|krM81&Mtaq+#3*_X
zQc_u^t-C9~er}hR!7`V|#sxp#PiIpyYugGoP%P~6SQuP{J>)Vpj994@9b_o|QWRB*
zMD-ZHtXu>y6rbS}>~VdjQ2}5@^3+{gZo^n8U$r-jr#~yx6LGP|AhBDwIfmpxgY9o4
zT$Dmyg+&E&z9P`BNr$UCC!{?=uv^kJF62=KQ1H&J8ml8M_&mNQImfOdUU$Qv{R$$-
zc%|)ReTTJZpweQOeWIe^GeHgrCMmu`KgB`wJ2c+j_e~skf0{2?p%ZudFwXSk(6wu$
z*Kbm$`K0-(ghbZrd5;sHCYGOe2Mt>vMT^gK#-QBY_5*ri1+AYWnb^bhJAsbl&ZstO
z*%Ey;yG50KUdO0m$$J*GpYC(L#tXM6<ZXjqBC1(RxD$z`J7mO<Et1{sH`Q{|vU;<|
z%U!w9lVwH+@H`Ygn}#6U<a9ds^?r!1Q$-VAW_FP(_so^n43U9oy$#nzcChmfVTt=K
ze<BR|-)g=Tf6HI}Px=3@`Tl*+FaQ3(@<adH=l@gl{ZsS(Q}g{(^Zirv{r_F_{Y(DT
oVT^y1pYm_{tNu^<Y5pt!`XBlKblm@R-2Zgk|8(5{|99N~2W?-o%>V!Z

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-success.pcap b/testing/btest/Traces/tls/heartbleed-success.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..47a2bac1a3e69860dcff61ba86d805f26e5e9562
GIT binary patch
literal 39524
zcmeI52~-nF8po@1K?30xK@fwWC@6F^C<p>_D5$6df`}*+AV>rfOoGTbDj>+Aj<++8
z7hWK)3f``cPP`bol*J<;UWkZ-ir0v!16$n~hJZ3}-<y5w>=f_S!)~hoUG=N#@B6B%
zyS#S(&~^%-0p(9y8vqzQ2(k9`Z@9q(<Ke%FM8gcIuQ2DV0=D?MI`9I(x%HeIa9})k
z-Cr`fGJ5Ze=<TntQ*7yjQkWTJQw+=BI{-kT(T~t5>MWZveYA-47?r9<D6<v6D+4eK
zV1jo2c4YwEfE(i;g-|8bu~XY$DfCXwf$C-1dJe0CAN{V}n>trQs6%CSLb+`Z3%J8O
z5vg05d9CNkGLP+2<}#=roumV72W)|5#K`g*5XyvNcpeM*LL@}$s))I^ULX`7jrydb
z5wIP)LRHa_O2rr$z$jFzzo&Hw0p;^QNw8t)fCbn<2j~MsU<Yu(1;fB_U=K!sk-z~s
z0%tH9xByp(Yz**(4HF4wgD4;bb3imm1?eCIYyg|V7O)j;18s7OoGPcu>2fu>x|}Iz
z$u;F{xt3g8t}EA*>&p$~7II6umE1-?L~bYN%7?)!PX`)+0)Mjr58hb|mc<yJ(F8_-
z3C|gV-as8NfEq9Wy~xt)!IENt0;oV6mRc9)*8@5<jE+$-8kJ6EP$^Uj1^x}g2)J`0
zTxD~0>j=DJ1EM4JdefyNM6;!Jm9V)+2j6Rl3!7>&>;wjcqUB*0Sfc^R)KyU<wYV3d
z$lCom#YntEF^N!w%>`yr00?exu0cj20hi0|cOLPsJ**Yde_mmY-vO8GsBNADF?G%}
zi^!-`2`6m)3fv8ZajA*(SWcTS1uH5wrb`#vjMsFP+X0~02HPG$fHW%X10)7`3(ZtW
zGzn-f1PoU^h2ey!&@Hm56pTWlYDzP3HiK!s)O%?&8^bi{08d`d)xenyY5<L)Pw|<^
zHN*{w1C~D9U&fcnJjAh_iLwY=t_?nzIIp4K-(L_OFA;D&g|me+ehkM$Adv|ph2eae
zfa5QmEfR`ma~<#zL}seKU5AKA3|}hca5+;X!dSi}k>ewh2_&(C2qAf$Kr&At;dqR}
z&3d!B!?`%u9(S-G$#V>bhdknN*f6dmcSJBgsZ(hK{JBQBVf&4=6A}_^V}vpM1VN0<
zHbTH1fLnA_l!+M{#)+k}SiThA)U8uCJO%6DnFvM))D%n`!1F9h3WkB>o{{JG`kW5<
zdT&`t-H$A$W=f?HzkT}0XH`kJydAAa#ojk<`}zIUOdGdpO;&3|E^H{=TXaHCXIHPZ
zYmXPD<;`BP_d(iF;n$6eoEjb8`K8_gijxkj)0S_l8EU_7s^P=~C0vPv(V2njo9F*x
z6IAj<e`ozAeeQ1;J}e#g%PWrVz&lgI4~~8xyf`h<<S6G-f@#?FdCyI3I4?(>+^ODh
zb4YPm^p)J9-z{P0VZSYyT=uXf{`;HLv+Vt@?TxPsb!S*T=<Bg7<ANY&p^5rwL1X{6
z!-W&4JW}8*22UuPHi7!{(17ZV3u+9Cj-R+zb?N=gt(jK#vXci*Y~P&n*WbN4aa6&B
z1PT>)v7ITD8a#z^o9rij^=T9w;2My7Uu_x<K7o61ed1sMO%rD^)NL3Tovud3@V>-J
zEt(<CAU{nQ#AKS^y-jZ|zIZ9Z>xZ246?i}5&lWV;f=LFA?!59J3jVR}wMn#kb7_Qa
zlhzO~+=|GcOXJ{XDP3DPMMJd>1Bt90S_<Y18_ow;XE0_bYeE|VkDM49utYR0`RGV!
zCgBNd+*Vmg3TD_pN+ydNWoJipA1Tq{rP3JNaB-|%oH#}po@g5v5s4=^cU(ZhlN)d=
zL(cErx}*0C#Ujp_cv+NKB9tZK@Oi`fB%hfYC6sc)JMsuP34AF>D3!(wA~^i;aIqu;
zJ}w-Ym?Mi4aFmZoAU{SJ!Iu$&62aVfp+pcX5Xqz*aU_}T_j`}ww3l)S%oii%i^2sQ
zu_z{y6DgLEIfd{U6GgyV#l=ft{}*tCA`YxuoHB2_9=tY@C`BBseIiF379*TZ-dt*n
z+Y?;-(QNS{xOMiR?14)yKjI3P#Hiv5m&mw7iL)@_$=@k~VHhnr8DES$Do^0p(xD$U
z#NpC7RS{`?m|ZwwC%AS}(jwS}^Kti%ODRi7e7uw|<f~puAeP#}>uuYww{5@PHk=O&
zB!i{^)<chGiuYM+^tlG_YzClVgk}H(2BVzBcFXS+_uV!xEW9Lh%C-en6*;v59J94y
z(=E?2wcK02_sea1E!uZyVFu%k^JdYN+)Fe4O!A{CH7wDhYhRi9Nk`s(>ly87H+cKb
z;=A+nWsjN%-g@Dms3)V!sy7(Bi8Sk~y|z8yx2|fSQ)pIN>V?W30il9Hno}6`vk7CT
z)*cvqQ@h1uepW&Hh}58@)AtYAkC#j=Y8aB`Dd&jRrQX|`apT$m>c)UxM@H50-23|X
z-8uU7xNmaIPkOF5<9W1ftB;M=30u}{`LDC?3!1L6q5@a`Y*QL*#`?Zdad7dLtjebi
zH4p!JS306kzIWf)XC^xGJcCp2tKXgsztd}UOe_~L9H0l`;VCrJb`OFXb;d-8{$pV$
zgZyW?kHO@#58cNfKWETi;3K*CFy1iSp2r<Y_>0bmUz&USBX@Hwvv6M%({H}ozBS?H
zuRV>7Qj-Gvtv*nb{%+WmBUi^Uo<CFzjnmR;?km5nGlG{Eti5L6lEQsKey%4S9(}0K
zwY=|^qdrf*MzqyB*4I_U=dh}$->Fy_e%NJf>pSzWj1*;f&Qmp!Q(XFymUoTMQk?1H
zHO;$jv2e4s(pI%%MQGBN{y}~R7&n)tTL=ptSXVYIsW|;=ZgpJnAnp8Mhd3`iSKPPE
zDZh7}c1d>LOz*u1`BO@GWzHezH6H26mv4GbrG~X0igA%>Ju~&NF7noz=6Hc?eo5!-
zko4B6>;3xqIdk<kEv}bm@1B1B{z{kU*Z0&Y;<$Mi4qwTS^|xcZ&i&|au>H_b=i%DK
zW2=v0Z8SPgg}-nu;)FJF0{R_{(aFVp(t~t%F_Sc!`s{L>vAef09WUlZd6bVi@Dh(y
z+7@W1g7F~O?LN9MXr@d)Yo?%48rqSOvef)@7DXB<{b+w?wA<0CxF2qnJs{iSkFSa8
zlChh?Rf<Dvn?$H{Xo+|N9^cv9VR+<!?CW^Sib3Bv=yMe#{E9MmBRyoNm=f9qY6=YT
z&6z$fyE8=hG?sba<od2`4xF~5=4#lq$43KSrFq3W)lKO~TlO$J*rgsENGpHe#-T=(
z?5ETeu9m#r>3ieOqf*!HSvzXK9hqA=d8Pf0*Ed9r1-H$st^~G~;Qf7CGik5V>h``M
zBJ?;Ip*vCmnYu>kRGZ@7M1-#QK{Y}zghNXh^BaNDGZm^4dVRk~@vD4qw~TFe=QVo;
zY3j053kq+}bZNo1*4Nw&Sbs)ly5NJa!Q_350>&*|@On4f$87zhX1%keZS!&lj4OW?
zZ-3_d<3Wavdqd`npZMeX4K&}<JWB2JV>G=t_(9##t0o0TC~i4>gi0NoCgi6#zG;oh
z@RT%Es1*te&Te1U)Z0hFKj`Hh>claBJmXO5YsF*kuNuAhPT#DnZLIof@wx+ZYQw@d
z?1}jHMEa|Z!xpXC;dkcLTfvp0m-vTeXV2wqP=sdIgz%DnT{%w8?#Sw&5AIkLIw81x
z#x~2P^sj=2RDp-j+>7_b>v+*`Oe*sVCNA=CT<Lwcc=%E8cO%C4@y{8qS)N(u)2l3#
z>%2-XQ3xjZ*=LQ__5A1P?*<8SToSj2sCy3HUtq6mYd+~jMZJ#8%+w`^&!2lxQTQ8k
zf{c0l#o?>QE=lYi8ph8Z>Mx$lzi&~^zrQ6!#L4urwU~1#?5x+3ZTZV`U-Wl+yYT+1
z@^6gakDpjuu`qP}66#Z{8x~umR~(tXqpB$;W$^8IV`tZiIxCt^#amSzSdzQv@{C+!
zu<NS{Fdr)DJ%;A_I4mVoQ?v9$1ykXC^{44Cmwo%{=`%ZvdLv`)CXaZWZB?GU)A<T7
zw$SNcmi>cTHZ{=ujH<4a;F*hNn1HDpXwbbc-e~3pKBQus*wtCn-g7Q{NCH!<OC8hZ
zF&AB3k=GCxBf0VL&0L}T-TVc0@xg=dQtquiU8#AL?Z0Sv!>u2t`o^6Yt9zmM46$2n
z1iLEKe{@k>#4m0x*Q>T%{!wgNYQk|@9sHAIsOVVvtc1`LXYQ@MJeBVqy8eozdb0aH
zz2mpG82+}}EMq|J1*Xl6jODq@?$AnCI#zwPX^`hFs!xt$kNTmAb1N(l29-tKc|By;
z-X{+awp8e{etT?u*<_f}+xHa#D}PF-=pM4!{iJ+xZl9xb|1n%#mD?Ps?`bhNCVTRu
zP5p0L<hGf58V2<7O2?ZicC+)q#`oO7dA~LXwM3^gAKWL#qcmbFg?NxIrfGBxp1aOW
z0AA}wa<0Qub!MWjQlWQN9}b?q%;X(26UJ}=okS?s^sHD&DtdHREIb7jXBfkQ^2gbe
z4#m2j6@MWW-McFm9fFFIUaz|=W@TuA209>9*ILtWwO%3=Yd3yQar9bMMI$QJ^*QGH
zbPW1I1P}p401@~i2@u|CGqn7pbOD*VT7KOjtwn_8uk=>6{EbNpy>?#`U8!pMzsPE$
zLLmZ(03v`0AOeU0B7g`W0*C-2fCwN0hyWt+ClDZJQgY!;N)NBy8IiBuy;NO-D>}rM
zewYtu<>z#I?QR8pNzRy1d=sqM)2w_cIV-<jb#CUveC6CstY*jDOh335vEomtCXzq|
z5CKF05%@0>AS{3H8JZn0Tz8$7*GO$GBP{>zCn}a-M&T$ezw(7^=tq#{|1Y)_l12m&
z0Ym^1Km-s0L;w-^dk`QZbaNP?_b}UIOwRVa=r-FUW5>bSp5>ipdo~eKI-$sgiaor8
zd4-(qS)&^Bv*VO8e~1B^?fHB3K2%FY01^0qAwXDu5YnUNFDEVkYE{dxZ$w&tBOnQk
zK$idir8l5@AOeWM--7^Q`I*r2_b`g+LyjVzcOOL<$>AvChfj?niiWa#8b$nz^d+lQ
zeTk7=If|Hau)~*F!ZqVfe~*?xwL}CE0Yu=hOMvht_o3y_RRd(|x@N4lv9*G*{52J-
zmftK&If@8_+s}Rc&KOz#zivlBB}W7h0Ym^1_!0@YcljaQ_Iz7*PeVWxatPSeeF!+9
z3=RQzb{YcifeT5NgklL)%rXUJ>be(@>9@tEgknpV-8$im$g+0DghB0r03802if}Uz
zH$Xv~d3=fe36%*EKm-s0L;w*$1P}p401-e05CKF05kLeG0Ym^1Km-s0L;w*$1P}p4
z01^0K5g=A3U-Y~(X-=+8W~;7s*1aQFCXK+(t}B!OtD2zuA_9m2B7g`W0*C-2fCwN0
zhyWsh2p|H803v`0AOeU0B7g`W0*C-2fCwN0h`^UifLNI<!n8WR!tA<v0{m~^uMwLk
zJhoTeJYhhYLhm{SeucTM*t=u%1Z(2ENkXx{XT|HJBCosRJwK>edZwhi;!CKg+#s~;
zcb)WG#RG}eQypiO)l+?nyYjovuQNKn>pTX(6t(_x+XIyh5kLeG0YrcxK==}jq6M@m
zfJ|L2KLsncA}qgwp{nIqYf!#76S5y!{=aNr>at^myO&)x*YH3?nBU8`rNy%xHxk{0
z1-plG7r{>iFE_|gV|e#aqj3ieHQpWe?H+23>RC}iDh}(e_~vDj4rY~G-d)kNXT?fV
zk=soX1~5=@>Sq7$iW9DBfk^<6savhxTB}G!%TFm5K*bzUhoT)3vSApVrO;PvQ0Oy{
u6HFtadJjx*lInKd)tSd(d85}IQBgleC=R~Sqhd9wX!}V;1E^S_s`zhG8eDMz

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed.pcap b/testing/btest/Traces/tls/heartbleed.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..46e7935d18109d31e681d0037c8b0cb1a93fb57b
GIT binary patch
literal 22223
zcmeI42~ZQs8pnGwNw{z15Rm{PiWnvk5CsVc2&kwK7dccmgaFYH*d&0s>vE_d-nuBe
zo*aszoPvs?Y}6-j6%W7z1yNB~JXXOKLGj@A1VN6KtylHx)s{7>nu2M%|MT^)d%myx
zn<3ZE9?l{GGU)wucLRXHlR_gmwsN#0m;rys4=~p+P3Q(j=-Q?6<$*f@j<rl@z@*lN
z6jaZ-ncYarJqnNt)7h*dymBT<rzT(-03<S{j7*YOoZ$Fk2VRb#s2r|5zP~b91dya2
z{T^iioPjenBLi2()sc#$K=k&=L8xAwscF9{hy7WZ{OFP;t`3z^TzPY`BA5oRgdam}
zX4cxuY~~NLxfrS+N>m5*y`!Oxh|JzyxH7JI8Y+52B=|8{5n<KZ;fl2j|58y8&;#@b
zD(avpLPY>VLQ%Gxkqj1Y>0f^m;lNOUB2WS9Knv&qD}Vt8um(237TAGFz#dEnj$kTq
z0xXEk1-QY12?OCE0`S3Numr3GsbDqO26lp7U^mzUx}_v3DkV!PQaP!-R6(jJRhFtq
zRi$cD4XLJ7OR6n3m5z~`OD9MzrB+gg)Eag<04M<x{HX|-@XD&t7JXQv4D^5kEYktH
zKps$m9MA?MWY%gzOA$Z<C{Tk|Yry)NK%I<G5E4R0DJT^sp(GOg8-n0)Yx)n@;EBLo
zx&xmGM&v;g;gIQU=ZZvixu0`p_P~Whg~3U%3s)RfsR*_x0oeftDJrd8x)WE_D*cjT
zA)Kc81b~VRToDczSVRIKP&QnJA#)t(xggKY3k3PMId<#DYFZZYO*g#WRL~H(n8pY=
zuF5VQpE0KT-#L>e>TT9o82-!6mOl=sI*uK?xc2fHsTBa4-Eiyy1V~2V9FSpvmrzcD
zM3aGX0-(BJ$<(P>GQ}(tB_Sjdsuo|3sZbRxQan>SRS-mp0<ffY3?)o~ihe_;YLUEV
zF?29({6tYpg)QNTB(71Bv{{l+I%5Jh9xqqYGGX($F(Mw#jUUdJa0E10o=CzE<8wI@
z9*xZp7xIPS413HDuZ(J0^@+F&IASr4L7OY$M{-2*G%ulqCyL~S@@4IKqFA1Y=IVlt
z)>UCJF&i5Un`}LqVH*ffZQ&^co5ZlSwGPB)_p|mJHbWoN?YWS8TwEMoz!z}hcmfGs
z$dfR}U?zP%RX}t`gz|*Y$k5104qxER5pknL^iUp_jF|K%f=~dOjHm%vu1HEo5KuVH
zKI4yb=(gtY+cxuzFJ$aDA9XHU;XrE|Tbn&&N_^WRg|hX#5lvRGO;qaR!ZCFb(>3m%
zF4G9VeWY?4^WTf+#F}*8IBbD9?R;3<G3x&Oov$xX`ekQK)~+tr>aH9t!E3Ak)uyNK
z&F&fa{G@XuX_@zW;rg}dP7(WrX>mT*^G!~MjkecDO>|GKJ8#!Du0hw^VZT*mgO*lk
ztK<BoS=jXiWwXj}FOO_IyN0dj&00e3U|KBNvtZ@*EqgA0@OZk$e^J>&vMD?L2<7=v
zPUX7P3vn-k8xJ`zd6v^*y7$@-H$>@e{&(K9Hee;53z8Bun|5-wj@7mXyLCj=i`2{Y
zQ%dfVP&mbMl1UG+WYS&PJTcTFlQ4iOLGFfXWHP)14`5pOi5XcLQ>4mIpdu8C9ExCu
zc%dp;hphc)bL_H$yo3--r~4kw8c4FvB9R|vg#X!;tcU3&YCoICtogb4(4KaKCGwpY
zL+P!mmhQ6oW~f0n!Dz`tMmJfx|5(G(^260=<YdGfo_JyMRBCvVGV~Jg%z>%|Z6YH{
zM<zi>2@5PRdas!zM8_mTB8i@2Wra^5F+SzRVga2S6=@Y6CE#=8>CvHKSW;(S0}__>
z6f@VMeV*8T^Pe9jq`AaMBBDfmNjwJcIAml}<-7>Kn8xj^!=uG<#5BHG9K#Exaky|6
zhQb?$CW)d+B6zgko5YVJ;D>S~xS)vlT?}8ui{uF<Vp>#~tlH;myU=>9w1o8pe2$RI
zqeTe?@wBigk*p>k-etm2c&X?ZQFN4;N8<}=uy4`5b$j$++j!iHXxRIBT2zRDA1=GN
zn2y=vT#d+d%o4N69G5vZWy~jBT#;ZPF0M$zn249c154V_3k*TXNl91&Ho3O|LsBMw
z(um@UqX&wJV?wOBxTj!PiDf>)ip#;K^))4>*nMis;d2JI#1V_FV0(H`dwNfMI+p_t
zl3=EIKQzgsu#qWxUmEcKjsUtw=m-!H6yB))^Sqp`>=X1bgFK^d?!i3n6m|K)5Pd<=
zQaY<)mEZ`LXXai2Zu)1riuRg%zbp^D7|<A;n;PqFB3eJ9c!gzVu*2o*tCc2sdMWy~
zj|6Yi^xvFPHe2A&S|^w8(6~J||FYlxM-7P{h9;#OjSKv|*Im^-nH{U>$=17*H)nGe
zWzG9?=M8Ri8tzS{oGmzZ>Vw&dgl&h)s_G19-hKF@VylZ@y5ANR_tg`<W_0eurXRPN
zh}xgu&dpbDn#7q9bmsi8ZH*>7&UAT_w#yw`Lb6RKj~+j-1?=+u;W>|$%nH9{%kX|+
z|0H6Oa$C^2Ca<(g1NmIR_lqO+9_ktfz1{?<_ArJpv1Ib7o*07Y^~Xek5oCEkm;Ap9
zAmcG}IAAb<{QZ3fBL)l(m^ITHvt=?S;Sr<%=|3&N{awI0npTzHs^Gg+E`JNRrrk|X
zZ)KvN(dNSD)Gq6}Wmi3@ZI9%FqgB;A4W*aW?U<_q)wblXsLJ>EWu35p{Jv%XnETGT
z^0Cq_!rc~;-Yg-9rq~#8r*1j7)M@(1E@L0P`b${ub2*_ybZXh#u4gZj9Vt;;I``gI
z#76%l{wQ~$J~(lgiN9|lwP9_lDZluk#m%QH>Q24-t}!}roLW(!eYCqK3-i9@P^A02
zT6JdLLeGOGoVnG^OO6Z9Dm_-0uG`Uuq9Gp-3!Fr%FGjgqocC0nKlxt_<KNUzTc&=T
zx7F9k*O8&QBcVl_xi8@Q{f$m-*AFz;M>F#NReGf;l5It8-~TD#AO+A-=V5C2ZL5VK
z-DC=e!XKC_UZ92-z{rD8`vsZ5j3NDl%xtCBk$atk_UZCdu?x%y*BY0?Ke4c0-va$q
zAm$IJ-KPKs-IT!>-4t|66Z<NXQjEXkQN&^5PyQzex7&z35A(&$GtDwh|Gtf2P{kn*
zw^tl`+eBQQMvlkgu$cbQ4#C3y>sZI^?HG)W<G$1}Jg)Sv-eeK7->MS&1T+~g@{JX|
zoc662-cwrZ*}(AL*y%SvyZLI!{3l2JUafMEark|%5qa&S%s{6WP`Ik*T{jI4tu7!n
zS8W!($??8%=kY~W)|%`GKTO(RHD{ykjrJQt>i12?x32hgS7Rn#AJfRMR{f5z(5J!`
zx&sPi$KVw@I&tZ4e1$$re&7mS`cAgy*OU7>*KObm{ou<MqsK9uyqn%m@0`Z$boW=*
zP+3`A)v(a%Ewa0%x#63wm6B24zxURjlmFv49?QRP->2d=dh6p(&C?gVV{^?sYF@?I
zR%RUY*Liku!P2Nd*jUk1viHS2(u206WX%q&L}Tiv*?yt*w;f%B#gkiS7NtJx_!zO;
zP4u)*u8LoLI%{pKu2(&$#N9L4foA+9=<vn%`X`LnN+UQ9%hDe_yLB=ly>Rh^kdSQ$
zLVqYvef5j=k6W^RD=XgcuAKi9d%yPdncQvl!D-D4n2E19ddOLoZT__+`^Vs!fi*#U
z#-vbu0{JM<)$6-+_oC97OF9g0<`vKSk^O9==iLi7M?AaiW{hO#+9=ngUGf@nDUIQ{
zNh+%6&GfZhGhM^&_|y&Kc)3pTyBEm2jV~y+)u0>CF0X4*cUrh|Md{fy59_KvD9n^7
zG`%dns_&GjlC7lQX5Vt|OwoPQM$Y|R3xu>ZFS_aC!y%{L%k~tl-T%_W;mz{<n`)Nn
zznd}ZLEZA;87t7|<~K}tFIis}kbSFFkUYLAM&FS&OMQK7MT~h};fnnSE(h($x4YiT
z0P#YBt_wMRz5QLU57+Y_#9axoq~AVbV_Vqllb><-r_89|=6=vO4bPsDb|)c(xjIAB
z=r%7vFupxSG4@+jzhonAtHZd8bTSO@J33-Z(73a_TYA@<Ty?{r*I#|I`s8-~nVUtg
z9BhBdS^lfyDvv@#Qq{EE`HDNQCGH;aYCQE!<QTf8<Dpu5fDvO)@S*C?R+h$wWA70w
z>$_^S(g{uc-12yP?0&+NsWDeCkHl_WX-g@u;2seunU6UeY@D%sD>tiSLb7@2dt~Lh
z>7C;3E8d98=^5nXT1YICRH`|_(4fu2fJwP`({10$-!5Ej-~Q)g6SIzMatoA4&0c&k
z^i5T|wZ#ecwvy`dmnUrBDxQ+lZ7Z79(lz#CXQxlcx#x=v)F>W7tZ!QdD>m=7Kb~OF
zb<g|5BBQS2&C$+lUfBp2mpx>qt~ytICq=UIGQJ}vtHOK%ek&Pu51Z|nB+GV$56n$C
zSBTzLuwk~teV2F7tpqo^d+-e}u4q5JqP<KpY^b929aId;*f><tad^eaGDY4{#k1{D
zQIwuARB=9{1g2;J*)cdHqhVP)1y?*R_>y9o>p(?46lJv`tmiJohaf-@AP5iy2m%BF
zf&f8)AV3fx2oMAa0t5kqz*j~9&-QR(CZ+FfnL#g00Ory?vez%bz*OwncGKBDrHSfF
zH~PJPVTb3Ca79g$5_n1hvSV;=hH|@hDxRCUczj@P#-~*DwkO;3(sy8P<|{)^bcY~7
z5FiMAbp&wFKgDHO&+jDj{N)2Z|NNj{&;M+1pXbkn&m!!;Iz&W=2m%BFg1}cs0QdYp
z(DM(oi^#-x5u>|@?jjbViR!8c`|Tp8^zI^FLB(O7@Umo2cn3Y#UWoR_l73HkiCFTL
z%{QVu1Ob8oL4Y7Y5FiK;1PB5I0fGQQfFM8+AP5X3fahjD44<3HlI3PT4$aL(!uR<#
z9}mjSWa5fViNogkr^)jCWdrm4k?&-=89gAn*3p;e&xU#aDFZDg&Ikeo0fGQQ;GaeS
z_xx|6=bxhjWXIrldsJL%U2)HUZuUUWFV5-p{Kfu+=l`dTDq#;nfFM8+AP5iy2m%BF
zf&f8)An<=6Fm2EW-(Dd}!@fq9ElbsX7@Dd}EKXF{+Se~t=LBD)%03De=Y^o3U(6c(
z1+L86>G+1N&VS&BEfIbhD*R^*4IuK_(7R!KxgMtKoN&eV{)$8YVI)Up<NLp`u_RGL
t+xN4L*U~09zFdzhF3TF$Mh}^d^9R{j0&RSae?7<ymp&UekRM%3`wuGq6MX;x

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
new file mode 100644
index 0000000000..a2db2afe95
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+	{
+	print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
+	for ( i in point_formats )
+		print SSL::ec_point_formats[point_formats[i]];
+	}
+
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+	{
+	print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
+	}
+
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
+	{
+	print "server_name", c$id$orig_h, c$id$resp_h, names;
+	}
diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
new file mode 100644
index 0000000000..4a980bb895
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
@@ -0,0 +1,13 @@
+# TEST-EXEC: bro -C -r $TRACES/tls/heartbleed.pcap %INPUT
+# TEST-EXEC: mv notice.log notice-heartbleed.log
+# TEST-EXEC: btest-diff notice-heartbleed.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-heartbleed-success.log
+# @TEST-EXEC: btest-diff notice-heartbleed-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted.log
+# @TEST-EXEC: btest-diff notice-encrypted.log
+
+@load protocols/ssl/heartbleed

From c24629abf4490a59a60e0579ce0eb6d6fc5855d8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 12:36:05 -0700
Subject: [PATCH 192/220] Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification
or anything else at the moment.
---
 scripts/site/local.bro                           |   5 +++--
 src/analyzer/protocol/ssl/events.bif             |  14 ++++++++++++++
 src/analyzer/protocol/ssl/ssl-analyzer.pac       |  15 +++++++++++++++
 src/analyzer/protocol/ssl/ssl-protocol.pac       |   1 +
 .../.stdout                                      |   1 +
 testing/btest/Traces/tls/ocsp-stapling.trace     | Bin 0 -> 9427 bytes
 .../base/protocols/ssl/ocsp-stapling.test        |   7 +++++++
 7 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
 create mode 100644 testing/btest/Traces/tls/ocsp-stapling.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test

diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index bb2cc73a53..afe1d9d4f2 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
-# Load heartbleed detection. Only superficially tested, might contain bugs.
-@load policy/protocols/ssl/heartbleed
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 5106552740..f32649403b 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 66224bf45a..e9d29675c3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 857bd01f26..a8b9975eb5 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
new file mode 100644
index 0000000000..a8735f6d41
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@@ -0,0 +1 @@
+F, 1995
diff --git a/testing/btest/Traces/tls/ocsp-stapling.trace b/testing/btest/Traces/tls/ocsp-stapling.trace
new file mode 100644
index 0000000000000000000000000000000000000000..8b66f7288d11316bcea20d3ca91066cf167391c4
GIT binary patch
literal 9427
zcmds72~-o=wyjD+2s0sJkTEFu6eLt2D5xl-fGD8IWP=hQK$I~FvrM5G1rZ0F70~WR
z#i`Lo6g5ICsEDE<2!e_@gEF<K2>e^YpbXFV-hc0}zy5cvyG-4xyYIQ@+}it|Q#4fl
zUWkEkknrE=C<MXa!rb4(xuj7Xasa>42F=cRnUh>h@wdIXiU3(dkeRZX8DxfsAbv4!
zXUeeY>efr}#aU7NU!xD7#*B`pU4bABPUI|%#o}O?AWq5ZBck_km@)M8Qj*YeaE-Px
z+_5<X=!<P%nn84Ylr4&k&H!I*z2s3I-UMcNQy@oyl4gyg6L1)UI5c!*F**Zkw}Z4K
zWC2joHpOl_Pib1a-vIRHBw31XS}E|rn7s@X6-Dfkk%aVtThKNc5!NhO^8-XBif($r
zL_`HF47~zKomkjGyEHbZ^0d>*Txa+6t}JY;m4wEz!x<|5yc&gd$s6xMP#~Yo7w6C9
zYeFWFF_ZzN^JVxVkP-AVUye`UtMXMK1&G9#;$tCkK8Y{J*Wjx|hL8cY7uo~DWW|@}
z;~;$~A2NqT`9!`bUy_f3L_omhAvs74B11%o0O27lG>QQht%f8Z92SBxkT^sKAkvT&
zGz0WWLQ3FaaWIvl;BiqfP#%DY01y(`FBkwI1IYp~5EjrYg8B&pT`-Kg?-*MOdLse}
z+T>7+JhI!4hC1xaq)<1{iaOAgBn#tCRgbw31j8DHm;v0U;sG|%DlF{m;cvdhH)gBr
zfcW{^bx~KiDxX4L9>1E_@FveDENst9N&^A7*=%@E&q2G!ruDG>&)y*ntG8?8rT4DY
z=x9qV=93|?Fksp!43;4Q5idi;ix9pA;o%=3Jdw)<SPYE8$ogPCp{NZEhf|i48$4Y*
zE+JBQF`YEqv_UBt77>Av<jXV(L=2C0!Qn|57iXFxB9C5(lcZglY?d=CAY>lJF2t8g
z(?HbF8xkZ1;SI_fb_9n@abR+zLfIQ>ix88s2MpFQ*})u2s6Qow!=x~{lt3;wjI&T*
zKPoDU8VOK20F~++8m!L_V^HS!&PC?ajFI{1U@S?09NjXA!QoI0Db~?kW{4ltkK)P*
zV)-$+tk4jOv-1jyvyCOi(i~A&l%g5Z5CcO*@NX@+q@$MxhDIhvCTkHMEKVaKM7)G9
z9>&4E1&c8-R<KePWXAWM7?QXfgA>RK3E+l?(9{qW)E*fU*@?}HWN?`jM|J=sgcU28
zpC*UMqPImzV)GG%PBWw%8%=bhG$M&UKqQNp7$Zgo0t>)3VZtP`h&1|;C|Pth(=RwQ
z#E+(gD4;!JWEmP|CCir`$_e%7Qrs9ZG<8H3y(3PR|JH9A$_@)<k69#%h@<x<$k>(6
z=E5jq$<jfg0jv;e5G#_2dK`FT=Jz`Q7J;xlSO!A9gyF$3bljk>c(~N=XjyD&0Vc8a
z*8cP^$~#NhLuETkn%i8yv_Ep#H}|Z@x?a6ggOZDu9M;W*pGRMM5)d4Ej+xs0+N+Di
z^7<oXsMhmKxp%2S;nOeoj~-ZpP!7gxkzzb$wZ0(FV?Bo+66HcIw!U_+d1Y!bP!rn5
zO8H&uimJbiSNP-npG@-{eAX7%2X)VrO4%=|cx7M+(fDMAKY&k)8}yBVL-MQ=q>tWj
z@<tTzUJna9aQ8YgYu?(#jqH}Ex0oYyS$d3kb?RefvpJzp9DjKqsC>Mn&vJeH2K{-<
z8jc4k6(#<p;*vMK*d)R`>Vz9Uo4&r=f^Xt)ovYO5Q^I)r`)&ygAUOCi50i-SFmXuo
zYv5BgA};wUlHAUd7x*%S$)$#Yoe4b8MP14x2XjJL4C+Kj^C)2)E;U#fLg4^TM3`V4
z0O83o!dR0>O$rx}%nc0<;!J)@E;=}9N?!;wI)XFNGPyCEgp&)bRTNk|^@e~0)JQlC
z0tt4dnhXq&;&51uNC84ey`YWLLv-;3@D_=Ph+^UKUl_cYcbYAn_R#_d<Hf(eWa3yX
zVug;P;7k#e7$nA?v4%wz@rVvGM>re<E2#cmdhiY72uMdw8mE9GbKmxPt86M-_1P+o
zBH1i;n@h64hiIUa%)){9CW-7|S)&&Det~nWW1oBIj(+2g#!HWpCFlbhxCMw2Vpu>c
z&`;AtrvqeU?P?do4bt;v2TkN8v>#>u@*gw*4gvEIO=SM4Bq8(Pu9?XE+#mx4nNJ0?
zA(6th!!T|G68O!j2%M%d(YR1wPS^zNfG5930KrUN2?K1x3G6zy!m)Xo?C)QDK>Xmf
zhaux@>9&Plu^S3Y8g^=`yyvfU?3doqkg}^|aofU-?!&)zIG(pl%T{oU{=l>k*i-3T
zsr<xY`Mr@X0TqG7fwI$;!+CF?eOVoU<z0<*O<=_eV#2MH$`8)W+gn;W|M$<LSxe}W
zjGezRb{23h9UqbPvdGfnj?~X5nba(}VyIi!>2^vbzeYD>i@VleqFRZI1Fp6ypII&L
z>Ubohn<IBG^8L%sbe*cEyd789X}afbDz(<GexW<?>$|P>9^y3?7R8M6lGh{FU1n;V
z>uvRv4`?*x&z^C7W3Nh=mDSd)>->@M^N%=NGGw-Qt;yH={2{gLRluxc>n^``T2S$(
zfSSH&2h?#J!b=0W6i0ZtzOQmg)PaH*JeLi9aC1}D`wO*7le~r`-<-(v|9!b!h!}&d
z3G|c(6p(^Oi6WG~F~z0mQI>_WDU1kiU?`gv3j`3A)6kHh7@9R=iH^mR77K?^glg#&
z;S<F2r2y3mX0T%@mP|I6<<IgRlTGt6EN%?IwlPAb6G$%&G5#i<=;Z>TbpD?|8~h`+
zyX2a2A%pJccjxxa)9+r+;9O%ryl7o<u6Q)%vMRQ<JF|=`tE^q&a?`x<ki?xC>%z*{
znb;qssjg2ysdKDYw@77??5y>qGi`)y2XaeF^0RZ<&jP!(0_t4<DA~u!w`$GGE`87w
zzI{t;_?qQ!IUXBw!&c419@<r3ON_1Xk=m(qLp8$f^<UL*F8pkCt2%XULg&h-#9i^y
z6uNb5Z;{yBx26Zr=Uc9$+Y_|aEtQKNmSw?o)2ffpPdR3f-e&g9a=5mu)U#!)Dlb(E
zFLib1A8~VzV5?R**SlA+D+nfE3L=Y(U)zUdm_93|X=iih+DaS5;JZyN2R?MZ{t|zA
z3!zcttJ=W>K>vHbquObiR1RfQ5~>OW1P}fLr*6a)?W5r4BXq<7j{`rUe~H`$!!^c+
z7a#@Hw0YzF=gjntU^A!EbC@r~P%pqpz@!v(c5U1YL~()!38jVrPgF7(4~~ICu>#}^
z#0_)>3mFxb#4!+*`B!qJevpJc@|!MYI?&`%9zQ2ZRwMGeB&-5G_oIjrCDK30B9<oz
zw1hZOOXBAUwWPjzTuWAhETUq4p;y6AhzH_^xG0E$*F1o!AHecQG!YF%6fdGHjm0SA
z$hpt&E2ov@Y}r_KCuu{2t<t=>8B|1DVb)g%g9AY5M74<I2>MW@xu{=>xS0s$2sn1q
zlo2J+0oaBpAQ?kTa|48KtVh$M8-oq-RgZu_X^1|eC%gt?ra3v7Q|0V?`A)pg{H?OB
z>tYWg)^BO@8FR{zW;ls{1){aK=**S3ISt0eN$ko;#?+GE!awOAzG!nXm=!8Je|L7Z
zEA?W<@#XtsAN29IKOv7~)uoiBv~Ev7Uc!vA8+JQ-rcO-bf~@?XV$wd(K8b5L`t9!N
zE0&2gNXUDk^seG%%Uy?@=!+c(_#V3ax}8#5lI)xGbzw6zb(f#+4NUKUXO%O@EXpLr
zmTgV*+Grx3hI!+^XFE;iaX|a8hq4c>s0$BWsQICszVuT_^WMQFE&a*sV?Bd&H+|T{
zEgS7r^y+4;J8pY1KgZwN<gA?dhp^ZCBWK!szt&Nq+YJ^q1n|$yK0&(h@Mrky@uypY
z!xR=pmE`TcsI1ZA{#&QxRmRDRq7i!tcM}NKb<p&`ik8tXT6%x_LQ#W+I(Nx^2`!Vn
zhOGZ5H47Y)&_GL&sQ;RpOd}))v<X7;|4B9fk*J)~A`s@r8XfeOJoeIlk;9`+6^pG^
zFX}!SnTz@4MmX%3D*v~?dQa5QGQDQL(mD34MQQHGa+k6*W%i{bxe20fUGFVh{e9#a
zcf6&JG`D|zQsqN1T|;_nchh4{>g?ybxhjX={#BS)X=vAM>APXI{k_~*VXIcwXR_j|
z!#<QglH<0<dD*+(&%YucRd{-!NW1Tp>b3x-=L2}$`>o}jP-ol1b2COU7X}u;d$RfM
zg3Vn6O(lIFdQ4BXMdTUIP*XL##nqajx&0w|q(o<Rb#5cht~1BiCSx%x<<^MJCEWza
zYdcR$A84qz<Ogt`kqHUUmmcDrHx$3)wUnNopY_i9mA1T4RPunR<RCIAmk3lt1i=E;
zKxk-(1`gx^$m{~Gf|+T8@&GuHPdSOBR4?FpG)o@OM*wC2o2rA>F~(AgX({KsY)2>-
zXlC<GRfH7xeG)WDMg$a%GJo!mnLkm${IV07pLbWt{Aa&RWd8q2(x(fT1(+O!2GJ5;
z114Ac%H&fCd}1{To16^EXrHw0RxwOnA$hK{X=LStlsPNRnck2@lx;X~B(Zg^G^O_5
z8=DG03x*Y)izFw{&RRZb<&{8BDn6gmA=VT;t1Yv84&jpTTA~}_&x0);fpbo^IW6wu
zX*NTZE>=!q<|k4VV=fT-b=$k?YE}pD;kFOl5>eC>)6?^P|6#U7oB||z2Zls%Aw1D)
zaTqG#iSohE3cT1@=8Ayj@kCF6uA^Xo{)93pRG57GKX|bJx9VV4hy~c4Kx-FGIobcH
z4(4d->_l131Vsr@DPt?i7$7t{LN`E<_MjNH7U3Y_h#g4r$4&>Jh)Om&rF2#mqhTVO
z?>c<_zWaM_>gGMTX;bK_HN+%n$_xd>@h)TGq?7grns6GWcP9kisFip7G_-V3&Us1v
z+{P8r2}Md38=rr=-?1+(O|Ly&J>8vC<m*>uv;DK$k*%Y}YQ1+=qFrj;R%mVA_{-U<
z#*KP+)P|@>j5fr)_^XL^Ohqlu$UP?5S3cij#PQZPIdRGDwuRyC3(Bd3_YbUa4R%O;
zyiI<&0pgzJs1sfD2%F*Ox{S2woJH}AkX)^<LQ|VfzT0tXM`x@@a_5;!&6T|Oi|&!9
z!PQ5G{p7CN(s$pF<R<<pafPtA_n`W=9#1E$VLW$};lkPl@lOZs^J*fD!}DuWUmfz7
z={MgNptDQYV}GY(0G~COAEVZDxv$>1#r5eQCmEx7t2v+VK2a;+i5P(5EEO~zAmDOe
z1stlgx~biuSkBCquU+!-jpAeh|39CIp+#CcVn|!?Ez_if)YE7@)BKMe5dQbyK0qrd
z^KS>tkCx}rHu=i|u5WpgfcZa7Wd4k30rM-txWM*_%>U!6?TJ@QUbt!2-ECJ|^3anP
zr_{5|kD&0UWurp_dw%1~4D2!u^GEGx%OOfe)2KQrCcXE_IzMOfqkFq-uI2rKY|-DB
z)FT^Eu|AuxvS_zqWPn_^;les`|B`#<%`OjYl+%lJ)N3`kS%ncAdA+vVFFMN`&!f!T
zuUt`o*u(mjS&gNoU1tqWsSM|r5xIHzh=>JA>2cEBmSkP6KDUOEk_YEC$lRSXtgi1}
zSMS}repGU2zgyC%=w6++y2R|Wu60_+Jg-^0eaUWLSN9^mx_-^FuyX1pq6*(x?oq?i
zgiUR?hhJ&BZOeUJ`|-K){Br9a^LFAFmza?ztszV4KxnT?$J1)zk%J6;FZ+EZGr0uS
zdI~Q22$EcgBp>{~4v9sQxBQcZNJ}SY#7C%y7!2Zy$SX|xK7s%tft5{#to=6*1q`CF
zLVQ7uo=WkFp|F|$Og1ybmq`g?F?^_$Ag&)3{rF+BV7%^wkWg#2acC`HSZEbPB+yP7
zG+Px-0>`Ow9TUM}!1o(X^ezzxa<n4~2wC`H0!tEGW8<o4p=ShMxoLQK$G}`-R9e+M
zy@0r_wy_D!hdsNCjihu+=!wS%U-_nb?+)zUX7{|$@Nsn{(WB;uZ%@&-$W(S=k8e+D
zob?<@r~8_ixHMCLtz+k$DHbkXy}X64i$*L&BtLIl=}I$Wnv<AxRebco=&JAyyYKXc
z7!52v)Oou}yhDSV`F@VkV<%mUvo8s;e>-9B7;K%j*7b(EzZX2)q*CqXiG+*?G25)&
z{o~H+n!VIqel_;qKA*~u9f1`|n}_RPEF@9Lo5P=X#*NyL=kW?R8sxO>xLFyw<w?JK
z!s*Y42h=47JlFH2pKE@+v3dW@pB!!PcV!;cIVtkAIVtR|kL+&06Z#Dd?=lrh2oAtP
zN(>zJGv2h?DOSH~$+BB3%8sl&|FX=owq)mDzbuvN*cYw;^vS*z90ykdzd1Q*NWIJq
zeu@dF4KS&8o}_3iKk-XLr|UCCv%{?q*3oPEw<VXxiw%dkNd;?f2=&?ZP{n%bQW!d>
z@#n6`H$Lw+p!~%<7Pw0FmkmF2MEbAK_^r@?)3$n-e3hf7xdjiRpSbiUu`n%Ga~rh0
zqz(_sdWLvkUX?RXVd&nrRd+1H7U=gW`5%k^(&KWEEwN~LRnNoC_RteOzRP|4fg1(s
zthxdj-u|C+nk7>o#cE|1vSofHh+P*qE@$u3-DGkh_NvjZ%c|DrJi!<EiOM>f8JfK8
z5s`R0dq_T3;@VY-kiq3k`A7u+x9+<S+s`fg9OZN+ySGv4xiMMcegEEBS~)7a^S94G
z{N$Ly)x{laLazh`EA3?;Wi%p**9z0q2saiJu$rFX9@|#EV-F5pTIyjy%wCc-Sgs6v
zuG>feEGYOSpLs(12UV4<*uPg*$%qD375i^hm3|3ORauEL?7kl&?q~f7kpfMJc;JVK
zk~V)2F=sxo@$7Vnq*`g{74QJsCVzg1S{5z+0iqHGO7|F30ZLZC9J*@s^Si$+1o<#<
zMcGAEnGYCAY2!nk9xbz1G+&FS`I2L)`}+GWPu|tCXjOgH_4vl1ZODeekGh`HN`nsu
ze2O*sacgtrR=3Z#4~%s=s;YiHdGHrW53@gJCz*><(=?hZ_x&={tXGQIcCeF-eh7on
z36ae<bI)l%Yu%;8R=c#Qim{~1)?y>odvhhh+Rva%UB2Uey|F3#%gq&9dCH|^|EKmA
zAU3o{2#N<wM%!fdgF@{iQ1#=cPgK90`Lm)9#wRJk*tXPh^>ann{+%&80lCR(72fcT
z#xom_{=6q($4vJ8>&r~8Wjf{7Tcwo6u1-v;HQ_)DpIPTUYdXKs3^j)MVC*j{ET#(r
z{bS>FK{y!iQJxbH!usXAurfgqTrB~jb2|)W12nWv32VZApC2HCu%-<Q!#bFWA}Rte
zQyx31ytO-Psjb~HThr<TZ|2USH-zxDFG|~sl+A}X#l8?cv{W>MZ_w*_L9}Dd*}aXc
zDsO0v?pd%#d*PnP_*9)0iK(b<-SXJ+7j25`>24=c*9T@!a(y^(eRUEM#vThFcl`}Y
z)?g-zSf%g{ams4x+tjCBZ8h*88~jzucQ4vtGg$2n6!C*17775aL)#QY4~J_%Kt%ob
zwIB-Y6Clc?{u2{nUbUCL;vVF*qt)m5t&~;99h*Ky$0g*`0;8$-jvAuV4ufgYO)&jN
waQ$Q2X}bgqAx^)LCI{R&;#6n5XQ0jwI5o-HY~bu}@b@9uqXXm4u16R1Uo6+Q(*OVf

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
new file mode 100644
index 0000000000..b50f04a92e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}

From de0ce6deedd388de612365c085a1e4f427fbc2e0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 24 Apr 2014 16:20:01 -0500
Subject: [PATCH 193/220] BIT-1156: Fix parsing of DNS TXT RRs w/ multiple
 character-strings.

The "dns_TXT_reply" event now uses a "vector of strings" as the final
parameter instead of just a "string" in order to support DNS TXT
resource records that contain multiple character-strings.

The format in which the TXT answers are logged by default is now changed
to be a list of strings of the form `fmt("TXT %d %s", |str|, str)`, one
for each character-string in the RR and delimited by a space (' ')
character.
---
 scripts/base/protocols/dns/main.bro           | 14 +++-
 src/analyzer/protocol/dns/DNS.cc              | 65 +++++++++++++------
 src/analyzer/protocol/dns/events.bif          |  2 +-
 testing/btest/Baseline/core.ipv6-frag/dns.log |  8 +--
 4 files changed, 62 insertions(+), 27 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index d7280602e6..83c9682e8c 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -382,9 +382,19 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 	hook DNS::do_reply(c, msg, ans, fmt("%s", a));
 	}
 
-event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, str: string) &priority=5
+event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
 	{
-	hook DNS::do_reply(c, msg, ans, str);
+	local txt_strings: string = "";
+
+	for ( i in strs )
+		{
+		if ( i > 0 )
+			txt_strings += " ";
+
+		txt_strings += fmt("TXT %d %s", |strs[i]|, strs[i]);
+		}
+
+	hook DNS::do_reply(c, msg, ans, txt_strings);
 	}
 
 event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index a97c7b8632..aee1e1b213 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -835,34 +835,59 @@ int DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg,
 	return 1;
 	}
 
+static StringVal* extract_char_string(analyzer::Analyzer* analyzer,
+                                      const u_char*& data, int& len, int& rdlen)
+	{
+	if ( rdlen <= 0 )
+		return 0;
+
+	uint8 str_size = data[0];
+	--rdlen;
+	--len;
+	++data;
+
+	if ( str_size > rdlen )
+		{
+		analyzer->Weird("DNS_TXT_char_str_past_rdlen");
+		return 0;
+		}
+
+	StringVal* rval = new StringVal(str_size,
+	                                reinterpret_cast<const char*>(data));
+
+	rdlen -= str_size;
+	len -= str_size;
+	data += str_size;
+	return rval;
+	}
+
 int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start)
 	{
-	int name_len = data[0];
-
-	char* name = new char[name_len];
-
-	memcpy(name, data+1, name_len);
-
-	data += rdlength;
-	len -= rdlength;
-
-	if ( dns_TXT_reply && ! msg->skip_event )
+	if ( ! dns_TXT_reply || msg->skip_event )
 		{
-		val_list* vl = new val_list;
-
-		vl->append(analyzer->BuildConnVal());
-		vl->append(msg->BuildHdrVal());
-		vl->append(msg->BuildAnswerVal());
-		vl->append(new StringVal(name_len, name));
-
-		analyzer->ConnectionEvent(dns_TXT_reply, vl);
+		data += rdlength;
+		len -= rdlength;
+		return 1;
 		}
 
-	delete [] name;
+	VectorVal* char_strings = new VectorVal(string_vec);
+	StringVal* char_string;
 
-	return 1;
+	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
+		char_strings->Assign(char_strings->Size(), char_string);
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(char_strings);
+
+	analyzer->ConnectionEvent(dns_TXT_reply, vl);
+
+	return rdlength == 0;
 	}
 
 void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 520e32fe6d..efa0807fd1 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -376,7 +376,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
 
 ## Generated for DNS replies of type *SRV*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
diff --git a/testing/btest/Baseline/core.ipv6-frag/dns.log b/testing/btest/Baseline/core.ipv6-frag/dns.log
index 69aec7e222..5eede0a0e4 100644
--- a/testing/btest/Baseline/core.ipv6-frag/dns.log
+++ b/testing/btest/Baseline/core.ipv6-frag/dns.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2013-08-26-19-02-10
+#open	2014-04-24-20-25-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	This TXT record should be ignored	1.000000	F
-1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	This TXT record should be ignored	1.000000	F
+1331084278.438444	CXWv6p3arKYeMETxOg	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+1331084293.592245	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
 1331084298.593081	CjhGID4nQcgTWjvg4c	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
-#close	2013-08-26-19-02-10
+#close	2014-04-24-20-25-20

From 3d22692b6e897c1935cb60a8890de8bb76ef2b47 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 14:45:06 -0700
Subject: [PATCH 194/220] Fix a few failing tests

---
 scripts/policy/protocols/ssl/heartbleed.bro | 7 +++++--
 scripts/test-all-policy.bro                 | 1 +
 testing/btest/core/leaks/http-connect.bro   | 2 +-
 testing/btest/core/leaks/x509_verify.bro    | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index dbf27ec63e..1e0fdcd98b 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,6 +1,9 @@
-module Heartbleed;
+# Detect the TLS heartbleed attack. See http://heartbleed.com
 
-# Detect the TLS heartbleed attack. See http://heartbleed.com/
+@load base/protocols/ssl
+@load base/frameworks/notice
+
+module Heartbleed;
 
 # Do not disable analyzers after detection - otherwhise we will not notice encrypted attacks
 redef SSL::disable_analyzer_after_detection=F;
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 895a9a8901..5c6ed286fb 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -85,6 +85,7 @@
 @load protocols/ssh/software.bro
 @load protocols/ssl/expiring-certs.bro
 @load protocols/ssl/extract-certs-pem.bro
+@load protocols/ssl/heartbleed.bro
 @load protocols/ssl/known-certs.bro
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
diff --git a/testing/btest/core/leaks/http-connect.bro b/testing/btest/core/leaks/http-connect.bro
index e9a47d00a2..fe42f3ec0a 100644
--- a/testing/btest/core/leaks/http-connect.bro
+++ b/testing/btest/core/leaks/http-connect.bro
@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/http/connect-with-smtp.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/conn
 @load base/protocols/http
diff --git a/testing/btest/core/leaks/x509_verify.bro b/testing/btest/core/leaks/x509_verify.bro
index 426a95d2c2..f4a5ddc7d1 100644
--- a/testing/btest/core/leaks/x509_verify.bro
+++ b/testing/btest/core/leaks/x509_verify.bro
@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/ssl
 

From 9e6643e9d428ce0c9e0a2ba336013b9a56297036 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 17:07:04 -0700
Subject: [PATCH 195/220] Updating submodule(s).

 [nomail]
---
 aux/broccoli | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broccoli b/aux/broccoli
index 04e6a7f591..561ccdd6ed 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 04e6a7f591817f060a781f21c12e1afce7eb1e16
+Subproject commit 561ccdd6edec4ac5540f3d5565aefb59e7510634

From 988ba2e897a5256defac18b32d1cde4ce2721116 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 17:08:45 -0700
Subject: [PATCH 196/220] Add Java version to software framework

BIT-1168 #merged
---
 CHANGES                                   | 4 ++++
 VERSION                                   | 2 +-
 scripts/base/frameworks/software/main.bro | 7 +++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 37cfb13a64..b8f537e914 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-381 | 2014-04-24 17:08:45 -0700
+
+  * Add Java version to software framework. (Brian Little)
+    
 2.2-379 | 2014-04-24 17:06:21 -0700
 
   * Remove unused Val::attribs member. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 523b625f56..ba398d78a0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-379
+2.2-381
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index c8f413a8f2..f5c9927126 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -287,6 +287,13 @@ function parse_mozilla(unparsed_version: string): Description
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
+	else if ( / Java\/[0-9]\./ in unparsed_version )
+		{
+		software_name = "Java";
+		parts = split_all(unparsed_version, /Java\/[0-9\._]*/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
 
 	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
 	}

From bd64e52782eaf6a7f006d029a61f24f19a2ac9fa Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 24 Apr 2014 18:14:18 -0700
Subject: [PATCH 197/220] Fixing compiler warnings.

---
 src/analyzer/protocol/tcp/TCP_Endpoint.h     | 3 ++-
 src/analyzer/protocol/tcp/TCP_Reassembler.cc | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 95186c583a..96cc497421 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -135,7 +135,8 @@ public:
 	int NoDataAcked() const
 		{
 		uint64 ack = ToFullSeqSpace(ack_seq, ack_wraps);
-		return ack == StartSeqI64() || ack == StartSeqI64() + 1;
+		uint64 start = static_cast<uint64>(StartSeqI64());
+		return ack == start || ack == start + 1;
 		}
 
 	Connection* Conn() const;
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index 1fabfc5d73..053e8c8f60 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -376,7 +376,7 @@ void TCP_Reassembler::BlockInserted(DataBlock* start_block)
 		TrimToSeq(last_reassem_seq);
 
 	else if ( e->NoDataAcked() && tcp_max_initial_window &&
-		  e->Size() > tcp_max_initial_window )
+		  e->Size() > static_cast<uint64>(tcp_max_initial_window) )
 		// We've sent quite a bit of data, yet none of it has
 		// been acked.  Presume that we're not seeing the peer's
 		// acks (perhaps due to filtering or split routing) and
@@ -465,7 +465,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 	NewBlock(t, seq, len, data);
 
 	if ( Endpoint()->NoDataAcked() && tcp_max_above_hole_without_any_acks &&
-	     NumUndeliveredBytes() > tcp_max_above_hole_without_any_acks )
+	     NumUndeliveredBytes() > static_cast<uint64>(tcp_max_above_hole_without_any_acks) )
 		{
 		tcp_analyzer->Weird("above_hole_data_without_any_acks");
 		ClearBlocks();
@@ -473,7 +473,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 		}
 
 	if ( tcp_excessive_data_without_further_acks &&
-	     NumUndeliveredBytes() > tcp_excessive_data_without_further_acks )
+	     NumUndeliveredBytes() > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
 		{
 		tcp_analyzer->Weird("excessive_data_without_further_acks");
 		ClearBlocks();

From 597c373fa0b947ee2da2c5e4a65dcdf5f0c5b40e Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 09:48:36 -0700
Subject: [PATCH 198/220] Log chosen curve when using ec cipher suite in TLS.

---
 scripts/base/protocols/ssl/main.bro           |   9 +
 src/analyzer/protocol/ssl/events.bif          |  20 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  13 +
 src/analyzer/protocol/ssl/ssl-defs.pac        | 352 ++++++++++++++++++
 src/analyzer/protocol/ssl/ssl-protocol.pac    |  60 ++-
 .../ssl.log                                   |  12 +-
 .../scripts.base.protocols.ssl.basic/ssl.log  |  10 +-
 .../scripts.base.protocols.ssl.ecdhe/ssl.log  |  10 +
 .../scripts.base.protocols.ssl.ecdhe/x509.log |  12 +
 .../ssl.log                                   |  10 +-
 .../ssl.log                                   |  10 +-
 .../ssl.log                                   |  12 +-
 .../ssl.log                                   |  12 +-
 testing/btest/Traces/tls/ecdhe.pcap           | Bin 0 -> 7510 bytes
 .../scripts/base/protocols/ssl/ecdhe.test     |   3 +
 15 files changed, 505 insertions(+), 40 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
 create mode 100644 testing/btest/Traces/tls/ecdhe.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ecdhe.test

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index e3c3320f74..f1315f8c85 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -19,6 +19,8 @@ export {
 		version:          string           &log &optional;
 		## SSL/TLS cipher suite that the server chose.
 		cipher:           string           &log &optional;
+		## Elliptic curve the server chose when using ECDH/ECDHE.
+		curve:            string           &log &optional;
 		## Value of the Server Name Indicator SSL/TLS extension.  It
 		## indicates the server name that the client was requesting.
 		server_name:      string           &log &optional;
@@ -159,6 +161,13 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
+event ssl_server_curve(c: connection, curve: count) &priority=5
+	{
+	set_session(c);
+
+	c$ssl$curve = ec_curves[curve];
+	}
+
 event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 555168e82f..54bb0715d2 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -58,7 +58,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##              standardized as part of the SSL/TLS protocol.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
-##    ssl_session_ticket_handshake x509_certificate
+##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -97,7 +97,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -114,9 +114,23 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
-##    ssl_extension_server_name
+##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
+## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## curve is sent by the server in the ServerKeyExchange message as defined in
+## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
+##
+## c: The connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_server_curve%(c: connection, curve: count%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 62300557da..071edf2eac 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -400,6 +400,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_ec_server_key_exchange(rec: SSLRecord, curve_type: uint8, curve: uint16) : bool
+		%{
+		if ( curve_type == NAMED_CURVE )
+			BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve);
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -488,3 +497,7 @@ refine typeattr ServerNameExt += &let {
 refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
+
+refine typeattr EcServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 24827d3621..2b55e53b25 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -60,3 +60,355 @@ enum SSLExtensions {
 	EXT_PADDING = 35655,
 	EXT_RENEGOTIATION_INFO = 65281
 };
+
+enum ECCurveType {
+  EXPLICIT_PRIME = 1,
+	EXPLICIT_CHAR = 2,
+	NAMED_CURVE = 3
+};
+
+enum TLSCiphers {
+	NO_CHOSEN_CIPHER = 0xFFFFFF,
+	TLS_NULL_WITH_NULL_NULL = 0x0000,
+	TLS_RSA_WITH_NULL_MD5 = 0x0001,
+	TLS_RSA_WITH_NULL_SHA = 0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003,
+	TLS_RSA_WITH_RC4_128_MD5 = 0x0004,
+	TLS_RSA_WITH_RC4_128_SHA = 0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA = 0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017,
+	TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019,
+	TLS_DH_ANON_WITH_DES_CBC_SHA = 0x001A,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B,
+	TLS_KRB5_WITH_DES_CBC_SHA = 0x001E,
+	TLS_KRB5_WITH_3DES_EDE_CBC_SHA = 0x001F,
+	TLS_KRB5_WITH_RC4_128_SHA = 0x0020,
+	TLS_KRB5_WITH_IDEA_CBC_SHA = 0x0021,
+	TLS_KRB5_WITH_DES_CBC_MD5 = 0x0022,
+	TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = 0x0023,
+	TLS_KRB5_WITH_RC4_128_MD5 = 0x0024,
+	TLS_KRB5_WITH_IDEA_CBC_MD5 = 0x0025,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027,
+	TLS_KRB5_EXPORT_WITH_RC4_40_SHA = 0x0028,
+	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029,
+	TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A,
+	TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = 0x002B,
+	TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A,
+	TLS_RSA_WITH_NULL_SHA256 = 0x003B,
+	TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C,
+	TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = 0x003E,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = 0x003F,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = 0x0040,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 = 0x0060,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 = 0x0061,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = 0x0068,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = 0x0069,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = 0x006A,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D,
+	# draft-ietf-tls-openpgp-keys-06
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD = 0x0072,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD = 0x0073,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD = 0x0074,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD = 0x0077,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD = 0x0078,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD = 0x0079,
+	TLS_RSA_WITH_3DES_EDE_CBC_RMD = 0x007C,
+	TLS_RSA_WITH_AES_128_CBC_RMD = 0x007D,
+	TLS_RSA_WITH_AES_256_CBC_RMD = 0x007E,
+	# draft-chudov-cryptopro-cptls-04
+	TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080,
+	TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081,
+	TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082,
+	TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089,
+	TLS_PSK_WITH_RC4_128_SHA = 0x008A,
+	TLS_PSK_WITH_3DES_EDE_CBC_SHA = 0x008B,
+	TLS_PSK_WITH_AES_128_CBC_SHA = 0x008C,
+	TLS_PSK_WITH_AES_256_CBC_SHA = 0x008D,
+	TLS_DHE_PSK_WITH_RC4_128_SHA = 0x008E,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA = 0x008F,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA = 0x0090,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA = 0x0091,
+	TLS_RSA_PSK_WITH_RC4_128_SHA = 0x0092,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA = 0x0093,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA = 0x0094,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA = 0x0095,
+	TLS_RSA_WITH_SEED_CBC_SHA = 0x0096,
+	TLS_DH_DSS_WITH_SEED_CBC_SHA = 0x0097,
+	TLS_DH_RSA_WITH_SEED_CBC_SHA = 0x0098,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA = 0x0099,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA = 0x009A,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA = 0x009B,
+	TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C,
+	TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F,
+	TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = 0x00A0,
+	TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = 0x00A1,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3,
+	TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = 0x00A4,
+	TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = 0x00A5,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7,
+	TLS_PSK_WITH_AES_128_GCM_SHA256 = 0x00A8,
+	TLS_PSK_WITH_AES_256_GCM_SHA384 = 0x00A9,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 = 0x00AA,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 = 0x00AB,
+	TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 = 0x00AC,
+	TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 = 0x00AD,
+	TLS_PSK_WITH_AES_128_CBC_SHA256 = 0x00AE,
+	TLS_PSK_WITH_AES_256_CBC_SHA384 = 0x00AF,
+	TLS_PSK_WITH_NULL_SHA256 = 0x00B0,
+	TLS_PSK_WITH_NULL_SHA384 = 0x00B1,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 = 0x00B2,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 = 0x00B3,
+	TLS_DHE_PSK_WITH_NULL_SHA256 = 0x00B4,
+	TLS_DHE_PSK_WITH_NULL_SHA384 = 0x00B5,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 = 0x00B6,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 = 0x00B7,
+	TLS_RSA_PSK_WITH_NULL_SHA256 = 0x00B8,
+	TLS_RSA_PSK_WITH_NULL_SHA384 = 0x00B9,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BA,
+	TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BB,
+	TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BC,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BD,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BE,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 = 0x00BF,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C0,
+	TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C1,
+	TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C2,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5,
+	# draft-bmoeller-tls-downgrade-scsv-01
+	TLS_FALLBACK_SCSV = 0x5600,
+	# RFC 4492
+	TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xC004,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xC005,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xC006,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xC007,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC008,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xC009,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xC00A,
+	TLS_ECDH_RSA_WITH_NULL_SHA = 0xC00B,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xC00C,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xC00D,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xC00E,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xC00F,
+	TLS_ECDHE_RSA_WITH_NULL_SHA = 0xC010,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xC011,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xC012,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xC013,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xC014,
+	TLS_ECDH_ANON_WITH_NULL_SHA = 0xC015,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA = 0xC016,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA = 0xC017,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA = 0xC018,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA = 0xC019,
+	TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A,
+	TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B,
+	TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA = 0xC01C,
+	TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D,
+	TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E,
+	TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA = 0xC01F,
+	TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020,
+	TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021,
+	TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA = 0xC022,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC023,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC024,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = 0xC025,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = 0xC026,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xC027,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xC028,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = 0xC029,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = 0xC02A,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02B,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02C,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xC02D,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = 0xC02E,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xC02F,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xC030,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xC031,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = 0xC032,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA = 0xC033,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = 0xC034,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = 0xC035,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = 0xC036,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = 0xC037,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = 0xC038,
+	TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B,
+	# RFC 6209
+	TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C,
+	TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D,
+	TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E,
+	TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F,
+	TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040,
+	TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D,
+	TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E,
+	TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F,
+	TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050,
+	TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053,
+	TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054,
+	TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057,
+	TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058,
+	TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061,
+	TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062,
+	TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063,
+	TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064,
+	TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067,
+	TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068,
+	TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069,
+	TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A,
+	TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D,
+	TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E,
+	TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071,
+	# RFC 6367
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079,
+	TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A,
+	TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D,
+	TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E,
+	TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081,
+	TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082,
+	TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D,
+	TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E,
+	TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093,
+	TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094,
+	TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B,
+	# RFC 6655
+	TLS_RSA_WITH_AES_128_CCM = 0xC09C,
+	TLS_RSA_WITH_AES_256_CCM = 0xC09D,
+	TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E,
+	TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F,
+	TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0,
+	TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3,
+	TLS_PSK_WITH_AES_128_CCM = 0xC0A4,
+	TLS_PSK_WITH_AES_256_CCM = 0xC0A5,
+	TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6,
+	TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7,
+	TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8,
+	TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB,
+	# draft-agl-tls-chacha20poly1305-02
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index a3729826c4..a44516dc6b 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -302,9 +302,11 @@ type ServerHello(rec: SSLRecord) = record {
 	# of the following fields.
 	ext_len: uint16[] &until($element == 0 || $element != 0);
 	extensions : SSLExtension(rec)[] &until($input.length() == 0);
+} &let {
+	cipher_set : bool =
+		$context.connection.set_cipher(cipher_suite[0]);
 };
 
-
 ######################################################################
 # V2 Server Hello (SSLv2 2.6.)
 ######################################################################
@@ -351,11 +353,51 @@ type CertificateStatus(rec: SSLRecord) = record {
 # V3 Server Key Exchange Message (7.4.3.)
 ######################################################################
 
-# For now ignore details; just eat up complete message
-type ServerKeyExchange(rec: SSLRecord) = record {
-	key : bytestring &restofdata &transient;
+# Usually, the server key exchange does not contain any information
+# that we are interested in.
+#
+# The one exception is when we are using an elliptic curve cipher suite.
+# In this case, we can extract the final chosen cipher from here.
+type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
+	TLS_ECDH_ECDSA_WITH_NULL_SHA,
+	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_RSA_WITH_NULL_SHA,
+	TLS_ECDH_RSA_WITH_RC4_128_SHA,
+	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_NULL_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDH_ANON_WITH_NULL_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+		-> ec_server_key_exchange : EcServerKeyExchange(rec);
+
+	default
+		-> key : bytestring &restofdata &transient;
 };
 
+# For the moment, we really only are interested in the curve name. If it
+# is not set (if the server sends explicit parameters), we do not bother.
+# We also do not parse the actual signature data following the named curve.
+type EcServerKeyExchange(rec: SSLRecord) = record {
+	curve_type: uint8;
+	curve: uint16; # only if curve_type = 3
+	data: bytestring &restofdata &transient;
+};
 
 ######################################################################
 # V3 Certificate Request (7.4.4.)
@@ -501,14 +543,24 @@ refine connection SSL_Conn += {
 		int client_state_;
 		int server_state_;
 		int record_layer_version_;
+		uint32 chosen_cipher_;
 	%}
 
 	%init{
 		server_state_ = STATE_CLEAR;
 		client_state_ = STATE_CLEAR;
 		record_layer_version_ = UNKNOWN_VERSION;
+		chosen_cipher_ = NO_CHOSEN_CIPHER;
 	%}
 
+	function chosen_cipher() : int %{ return chosen_cipher_; %}
+
+	function set_cipher(cipher: int64) : bool
+		%{
+		chosen_cipher_ = cipher;
+		return true;
+		%}
+
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8) : int
 		%{
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 3b04596f6f..5fb15d53ae 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2014-03-13-20-45-24
+#open	2014-04-26-16-44-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1348168976.508038	CXWv6p3arKYeMETxOg	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+1348168976.551422	CjhGID4nQcgTWjvg4c	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
+#close	2014-04-26-16-44-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
index 455d8606e8..7834e74868 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.basic/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-45-46
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
-#close	2014-03-13-20-45-46
+#open	2014-04-26-16-45-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1335538392.319381	CXWv6p3arKYeMETxOg	192.168.1.105	62045	74.125.224.79	443	TLSv10	TLS_ECDHE_RSA_WITH_RC4_128_SHA	secp256r1	ssl.gstatic.com	-	-	T	F6wfNWn8LR755SYo7,FJl60T1mOolaez9T0h	(empty)	CN=*.gstatic.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
new file mode 100644
index 0000000000..66ea42be70
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-26-16-39-57
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398529018.678827	CXWv6p3arKYeMETxOg	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-39-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
new file mode 100644
index 0000000000..e8813fb60a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ecdhe/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2014-04-26-16-39-57
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1398529018.711296	FDy6ve1m58lwPRfhE9	3	1E58FDC12DE4C703	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1397045108.000000	1404777600.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.com,*.gvt1.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.com,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,youtu.be,youtube.com,youtubeeducation.com	-	-	-	F	-
+1398529018.711296	FnGjwc1EVGk5x0WZk5	3	023A69	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1365174955.000000	1428160555.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1398529018.711296	F2T07R1XZFCmeWafv2	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2014-04-26-16-39-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
index 88f3c2126e..082106e89e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2-handshake-failure/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-30
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
-#close	2014-03-13-20-46-30
+#open	2014-04-26-16-45-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1393957586.786031	CXWv6p3arKYeMETxOg	192.168.4.149	53525	74.125.239.37	443	-	-	-	-	-	handshake_failure	F	-	-	-	-	-	-
+#close	2014-04-26-16-45-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
index 0bb8b5810d..ab1345d0cc 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-20-46-09
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
-#close	2014-03-13-20-46-09
+#open	2014-04-26-16-45-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1357328848.549370	CXWv6p3arKYeMETxOg	10.0.0.80	56637	68.233.76.12	443	TLSv12	TLS_RSA_WITH_RC4_128_MD5	-	-	-	-	T	FlnQzb2dJK4p9jXwmd,FaDzX22O4j3kFF6Jqg,F9Tsjm3OdCmGGw43Yh	(empty)	CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US	CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-
+#close	2014-04-26-16-45-09
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
index ec0a90929b..da805fd35d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-47-24
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-03-13-21-47-24
+#open	2014-04-26-16-45-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-26-16-45-23
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
index 16fcee9111..7965e3be89 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-03-13-21-53-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
-#types	time	string	addr	port	addr	port	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
-1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
-1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
-#close	2014-03-13-21-53-03
+#open	2014-04-26-16-45-32
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string	string
+1394745602.951961	CXWv6p3arKYeMETxOg	192.168.4.149	60539	87.98.220.10	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F1fX1R2cDOzbvg17ye,FqPEQR2eytAQybroyl	(empty)	CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated	CN=COMODO SSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	certificate has expired
+1394745618.791420	CjhGID4nQcgTWjvg4c	192.168.4.149	60540	122.1.240.204	443	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	-	-	T	F6NAbK127LhNBaEe5c,FDhmPt28vyXlGMTxP7,F0ROCKibhE1KntJ1h	(empty)	CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP	CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US	-	-	ok
+#close	2014-04-26-16-45-32
diff --git a/testing/btest/Traces/tls/ecdhe.pcap b/testing/btest/Traces/tls/ecdhe.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e37df374e0271a643d49fea1c67e03e00a158a63
GIT binary patch
literal 7510
zcmb_h2{@G9+ka*?#?II)Q<jSGShKWPvb2drMX50c!!XQ@tqns-i<G1dBa)JOORG|f
zkR{8jl1gcjmx%I~EcwneB7^#0-}n7zu5(?_eb0G*=RWs+pWl7XnTF!a8E6O#jedrQ
zAqWM8{^#z_L;b>#19(Q7mv_F%0j_UOfC62d0NFs0h0l-$WPvY573E0lFWdf!(wvOC
z<tiEzjUfGn9v;592ZGR8+!YiCgGHeTL}m5U*O1?^=n?eT^+aeHkdZcmJ2D19CqoNt
z1|i4@um1r-Mn*v0YECxrzdaX>z~xD2&wF3RM?Zo^6NsLbZ!8dWFcKcId%7DDvI3|`
zn`F14;zh)6(uN6ka{;<$lq6aI_y*vC5qlpY$OvMtI}vIHXh@rc*eLV@K~&#6C87dZ
zU%OKfQ4WKG(t(ptU@)H)LR0I4c=kN?Lu(>>PO~Wlr@x6Ri&#D}bp43!pOS&Qib&8f
z8uSi;L?A2%LZKldWC-a);*c1m2y~*50wfG{a*#YkfbftIM1o{NL~)QbBm-iJhA@x>
zBne4Ds=#_Nhz!lZqwr`v28Y6-aUeEWG!}zFVbB;18ihuqk=`g2GHX=jFF#I-kfF^G
zKSEs-BBbdm8mkc{iB7w&J2GqF!;K(1j}XKgkBLwf4&t|oh`2j8Aoq;$+Md5dRFxV-
z^gs~hFc@ed$R<+^#@YS(_YIc@>fhh{vUz=MqsGS!rJbJn#Q`co{YwgTSqmWGMM!EG
zh2-|A8-Y6jg7^y&NW2jee+&s(!(5@oFc&|Y$M*zb#=4<<+V9FRuozxgbC><DZ(=AE
z4hO+Y^+aG{JjMl!mqEKY>&d`Uh(MGf+A*0v3>tZ9AXQHtRz;K;nQ3E64viH^<B%;w
zIKE64ofAQ}(}!osi|HA{hOnugK5PV=xbemLunElnxWV324n+_pT2mNwZzd~{PSKNt
zNytz_qGBtVA%PqUJ&^25r-hB#B|6?NSy+Z|m#C<wjt}2l9V#;b=AveepCt+hVYny>
z2<VAuE(!(Jgy)|omima4eX_E+BigjQ&A~A~_(jqZ?})JIrv+^Z;TOm)>q%!moH7dW
zlGQD$v45k=V+k!W?pKUYbh&7?o44{#+z$o%smRD&WhYDRyiBz9k<#?}HXZTB{iHBf
zJ9q6)v8#>^_ihhl<MVD<tkXNi9Q>A4cc|dzfsXJkXHO)qJk)VhNa>cf)X6s|9&U1;
zGdT3}Y5SHYiD2Uhk86#Ki(4`ELv>dp_Wq5c1;v`xbPxCP#P-IvpSW@+uB}eq^^K|N
z{Va-=d)odBtPD$n^S5xft-7}p3CfASgi@o*hp!oPvPE-eDhI!={cd$C6Bd#w(zqHW
z<YUo$?Bj#k)n#a~WKo%1tSHRI65#2;h11osh~o)bc#so97}VGk8s?(kARVNzT=X*_
zJmw1cnk%NMLkaX^G3j22>$!433<{zJ`p^Su<3hrf*3_Xgm?2){b)fG^(6lLm6h;Jx
zPG$2kL`L;GR0?;Tz~GAi`h}@O4-}OBf&}Fdf3C#1{sB4^)<i|f1cm3s9#rOp9s%JK
z6r72#ga(eY*^4$#ps~jZ-mGzgZ^$@-&KV~JGR6r(0s`lkC6pjKa9tpmG&)}piU1mm
zO5^)eYE&Ca_o6ZRDiAdvHirUS&KHS54CUzYpFwy-SX5tnAYYP1B*uiOMKD7+A)Ykt
zKqi&R^rw%E0w90t`7eUt{uF6mAyhCDa|95?6GS?|hu=wLeCl8k9TyK$LdS=}B~6(c
z#9ynND?RcoFje9>(+T|Xbv!``#v4YO$}HG-G~-byEW+*UpZ<y4Z9(k;+)feX_Ip=G
ztHtN-g516Vc7wG>M}X10RD3y{ATwRvAb<Ke*Xr6WwY1aMp|UvRI-|xqQyFwxAcw6t
z{tYIT9W=6l#j$c&Qb`KgI5vAtKusN&Yg4Ma+jZb{BP@z6Ul|l?7>kA>SOt+(u?nzU
z6lvK@yqxmwufA79|Bb$O%TuYqEm{|rM>>$PlCU^<lL!a_i+U1)#-U&s`9TFc7oH8P
z^Hg~=#|-<;EEwZC7*ra-!6?YdIr#b0Hk`{&jcW4>&y!JFS{E2DQXg~A_c~IUgxolV
zyK#O-^eSO1R(+quir~n;A@c)j9~_{0gR4tEbjDg3wpeN<e$=s0DS7F7>6_+<-9oaw
zqVnO$Fv-Nc;BDuPO0Sf4_XOV4IaFv*c$R_oj`wG*{$b*jTwT0X^{_?7p%t#0x2yXr
zLeFlwvsv`+<CfZrR=MH*6>K=ed)^_X>XM$Cf9xgw8Ddgr+XL5qb2d7NZF`;mA>h8M
zsj=JJ#Z_%3-v;Y)d*hcK|KJxpBjo6@E{dt=JyK{a^u^XIeTlzRm7JVo!pcrzOM_|h
zTc^u>se5^XPS4Xg5<Pe6iek?rWC##07mEc%`f;Q#W6);w366rT1ncC_l1P*hv!gNB
zutL}zq$um?DZ`2&B%mrwkLm3gOiv1fY;DP}#Ri}j8|i_skr7ghjeuzQQ~Yn1{r^;M
zPikVrHZ(dOG{a|dUpG41-;Q70qZp*L+jht60}p!QAI<D?`#}-AuD>Ln#}RQ}<&yP?
z>zUluv3^r&3oc5!#N+Vd+wS%zz0Tj%S_cmPBU@6_>nzs0Y%qOI^Y%MDe`Z`!t)t2u
z7-P{yU^_7)hs_q8nU7B>TrP#}*sj*x`h8F@c;N8k&0lnuU9_sNY%lRsx?JV_Qg-=X
zm2yRjN_A?^BC1xb5uFxWuK2)qR-be7owrfTBuh0v7Nn4+%1n<*VtL(^Ey?Qp99D<C
zxz<UjAPqj6<(KbJV~a^i!R#oy)V%egjX_PpqTuVzz3S@s#f;)pQwPMQBI0Mve{eB@
zMIR}*(F1UFpTP1f+H%x)fBZl$&P!Bk`?>A38x>U!;}-Ljt5X_Tg#5)!fbn2WgS|8?
zj_4$i1&#$<Jv?kSvQQ0RJy@5g&C}X7_b1&@5hkZGIY<g2{HqHTY+WCY4?k-F@i5?p
zqbvn@5WEg+kIFD=*UX<Vqc3P9>>~j9d-4$6bn>ad_$fY0YIdF`>4ZsGzA7(d-K|SI
zVyp^SO*0x3jPWV2yOYi54=G!%`!TEBztF^^&RjiEy2HaK)Yc-giBujg)|u?xl(35#
zl~LfTpS<hE3%?5NKKID4cdM8?G3$zbon)$q%D+V{JZ9AGnpyaIednqr!kK9Zx0eBK
z|NV(7p$9qtq$>)Ze_}NZ{L2<aNvfPl_&j$0=>(?%4+Jr)i3sU{lK|2todn1~tHrQj
zwJ2M}uNDgEwAK>AYGJbFt8LwM>C{zsYAps`e&9V8G);3YJmR#KxmNS}sdGnO?Bm=|
zzSA9;EHf<Mz2N+1$^BLAfwlwa((VC+{ABaD_bYwZv7hItd79&mQpL_16oz9GbykFL
zbTo@@=;D<JnY_6C-KRg!Vk4!<>41NXe>KjmqU8)Oe6XVFaP2(8!X0uE<vd5S+8Tpk
z2onu+G1~!Mwf>|l>07N6>B>Qnu0Z8LXo)BzWD^`h_ojsFX@hzOG$Jx;KQ&}$8a0GP
zBU{s09J)6hY!7I^P7(-p!QcR)uLt-Fd=Tm~flbE5{|Y_+C(dfBQlP>^z4EF`t~=ac
zEnt|u3%(wHu;F$_<BGl<>uZ>QR?ZY6>~318>uox>5Es5T)uat~-ET*5R%^-T?7u!m
zy^EhCk*5BnGv-TP_QA5F53Ll8NU3>8Z4c?Js_2Qcz9*NwR@?DYymr)<wRxYrHu={>
z`)`u^NU}!Hifl8tvdRzMedwZ9U7ND#q=r}3t4A@4!4(dz4Ue~;RjhVtF8^5XVdDIL
z!>WDSKO9w!2fbS>6S7Pdq3g+L(}N=7KTLG$rsIx(UAc%UAvFEsycq{Jo4)Bcc9t=1
z@X*kDzA%SWsNbQ0nX?)j{65!UVT;KvA>&xjlM(H5aPOuft+rtQci(?<RyQ2oDZp9w
zt-jy2>MtihwQE!*ORh3FnwZ`&j<cquGzo-{_?(4<F@UE2zl6o+Cl8gvCoBg9oQ$=D
zZD4CW7Cb_*Icz%0T4<D<Ho{tLu-OU=3lktKT^5ba1p7rA8$1Ou*>nz*6)_>VG11Xb
zXp3~9!*V(4T`>M~G@+)OP*xVa!@KK#XM?%QaCdjP!xL+hziz_Y6>42#PWe?DOPy@9
z_s$H6ydl$I_hYZy2KL~EXUh7DCb=nwq;p5=J2Iz{2urWsdVla!jB&?wS7t@iZ8kOW
zUF6n9vnm$~b#5}@oP3LMbjY}Pw2SgNcCj=#)}vO6La3z}NZt~AFDzGnai_xmSeMI%
z;_YSk1`U>POf_kBx|TVuFzd`U&1JLHl7eUWeGEygXB{el#aMGJD^^ErIPHEyqi!~Q
zLkJWN=vKm$qdDmY##=tys0NT??pI{tzbXY9n`YZDNcg)T@1nxpSI>OtTj~#|yo{6^
zYPs5&WX{~kYF#WYHe~6uGqcO=>9r>w!KK?~rdY6ylV!Zaf1Kw%-!!e3s5{SHNhC%%
zA;SNf^9g%z(_Hka-L>6!eWmrBtam8ue3iT?f6PpBOHJkcgS8@#$5#ixMA$PQuxAn2
zQ6p_4dqS6O!6gT{J7Wm4XVu8f3}8>vHbM5R*_^LTRu3*>wEwFd>nG7Sw6jL}VLJC#
zlK%yI#^PvJBtdcx2A_M=YAEXU(04PZ53h~y2U;CUKDYTT4WBFT*^s6utBo!UcN{#Y
zF0GjVvTercK}t!f`C$~f-`B3HWN{u*^ZsgC{WS$VbCC<T0&X13d*^{%-eARn{m6WD
zpZ}@8><vNc%c<na^`#2j*r{BK9~i4IU8D5{{v+b~Gz2l4F$H1{Kx~g+G8s{=jR-XY
zdyzKj4zMCA2|+y8G9{t{8H$e`L+n9pM5b>m3GOH@v1hfYBI>;sE2!EvCwte_)%dz4
z_dYFlQ0`P)Dd|*tH@#_fXKlHKr%1r72+QwXdo*IZ?kTy=)Z=BEq|R6>t;Qk&C=?0-
zv=~?uUVz)VaCXC<tLo=v+2*U*xc*9$yl}e{Kjx);y^?<;RVw#x7$YlkkJ=IA>A@ZO
z#d>`={T9X6Tb>H>>QLT{#NvUq$XKnPlv{?j;Jyvy);|++D+g5O+sLio>1SiPwGG_S
z^&p6GHh)CK@DbboH;9sMB9H~ha->bP5v6a7MG*C-wh`n%#zoLZ#B~?IJLe!&d=ZrO
z*=}EupTng@`EQ5cDyGeu-86jd9WS*0SlhGitBTf#rfVJ@v?QG8iMNIF#DxPZaP{6_
z9=ga><OvsggxXzYWu<m+!xYyM^kdBCrgl6E=lO}h^X+W3-uGdjPJtNeK<$oMPn3IR
zz7Xn>402b|IWKX7wl?Nl=jU$i{M3!<N$M`jE?-&wU7qiFHS_LUImC7)VUGK>w8iBl
zct%~%Eqpz{{ne7C<6`d9@Rpky&``PJZ!6o4&)vLUEGD`K$34ivwFEGN;4mlUFBY8I
z!UgWI$I9TYXM2qPVXtsW@(S<0FjwQj49mtFNQAtBKYzc!v;KtScDwR~+`et#U!4tB
zOLttrXl`eVf!y9U2oO8GQBW9IDM*{NTIgH+5yX7IDG|YHsaQ9Pn7bT7lm`)lyDu*N
zw@z3(yZ41l?&>_9&uitIt7~_M*8PpjNk1bMWAHL@*wcUCzWhR8lWD8%-5(-m;LA{u
z5J(cFO-vN%yDiv!f@Gd4n0nROAenojK%zYOI+`dSnw8aamm_8rwf7nBXNIS-i`QJw
zSYP^eAAS2di@3P5#)4kUIc17n@j3^47P`Kj?K{8Rk*W4EfV8ai$%CZ@5j@2MMK+rX
z<`*mVheqj3WU$5Z+PscwFxNbdFwDO4`W4S;=VMRz@~p_Dq(O1n1J8>iqU~<jMm2wd
zbNudxoV{~kN&B4kt~#^C@^vLC-|?rEKJI0>%U$B!Wx2v3r<`*3_HK@(Q6$gNBpaXa
z-_YZ`_TQy5--_LBxOXhFV&2z1m1nzdvM;q@j}IYkxeVMg8t+MNF|@_=-SS@0Esy;9
zZjnN#9a9r@3xZfS4slYv4YezgctaKw;@xB5|HvO?(3h<@#^O!&to+c7Aj0LpY@Cd!
zWriT4>!v_tfPZnIt>-2qrUAs?=j0JR1TiIRN<@&8%_4$`vPe!osazeT@B?R9Q_A3$
zZRqQJx0ZM`+efONeKPG?YgA`OU6dHFNn`rwfbWub$cyA$k%{H}abjlQ5Hr5W2%51I
z9Ht&IqNKpYID%&IT{RCq_D9{Ma9Y?3@x$3TA)E{(oPPnzKK~ODIKB^LITifLL39<}
zsR7z-1U(C&|K4r7UWmOvf(7l3MMBGnQY1q!pN`qP4H@D8?6!kCf1D(NKgp+)C%JPr
kf0Bzv%=q0TgShBFtq5U0`kSfHk*aqzdlbD*9C6|Q0AR(M9{>OV

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ecdhe.test b/testing/btest/scripts/base/protocols/ssl/ecdhe.test
new file mode 100644
index 0000000000..bd1bd2cb96
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ecdhe.test
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log

From 24b63f5fc8f9526d902137813fabb692a5fd9478 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 09:53:18 -0700
Subject: [PATCH 199/220] Forgot a few ciphers in the EC list...

---
 src/analyzer/protocol/ssl/ssl-protocol.pac | 69 +++++++++++++++++++++-
 1 file changed, 66 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index a44516dc6b..f84befe695 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -98,7 +98,7 @@ type ServerName() = record {
 	name_type: uint8; # has to be 0 for host-name
 	name: case name_type of {
 		0 -> host_name: ServerNameHostName;
-		default -> data : bytestring &restofdata; # unknown name
+		default -> data : bytestring &restofdata &transient; # unknown name
 	};
 };
 
@@ -119,7 +119,7 @@ type ServerNameExt(rec: SSLRecord) = record {
 #	status_type: uint8; # 1 -> ocsp
 #	req: case status_type of {
 #		1 -> ocsp_status_request: OcspStatusRequest(rec);
-#		default -> data : bytestring &restofdata; # unknown
+#		default -> data : bytestring &restofdata &transient; # unknown
 #	};
 #};
 
@@ -383,7 +383,70 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDH_ANON_WITH_RC4_128_SHA,
 	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
 	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
-	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_PSK_WITH_NULL_SHA,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);
 
 	default

From b1a2bccdc747750a94c396b07119bb14fcb800c9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 14:51:08 -0700
Subject: [PATCH 200/220] Add a few more ciphers Bro did not know at all so
 far.

---
 scripts/base/protocols/ssl/consts.bro      | 8 ++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac     | 4 ++++
 src/analyzer/protocol/ssl/ssl-protocol.pac | 4 ++++
 3 files changed, 16 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index e60363e14c..e1b366130f 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -487,6 +487,10 @@ export {
 	const TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9;
 	const TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA;
 	const TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD;
+	const TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE;
+	const TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
 	# draft-agl-tls-chacha20poly1305-02
 	const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13;
 	const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14;
@@ -850,6 +854,10 @@ export {
 		[TLS_PSK_WITH_AES_256_CCM_8] = "TLS_PSK_WITH_AES_256_CCM_8",
 		[TLS_PSK_DHE_WITH_AES_128_CCM_8] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
 		[TLS_PSK_DHE_WITH_AES_256_CCM_8] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM",
+		[TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
+		[TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8] = "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
 		[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 2b55e53b25..a4074443b9 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -407,6 +407,10 @@ enum TLSCiphers {
 	TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9,
 	TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA,
 	TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM = 0xC0AC,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM = 0xC0AD,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF,
 	# draft-agl-tls-chacha20poly1305-02
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14,
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index f84befe695..e19fdb6aac 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -445,6 +445,10 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
 	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
 	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);

From fb56b22cffdf8603404da367fac097b71b3bf36f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sat, 26 Apr 2014 23:48:47 -0700
Subject: [PATCH 201/220] Add DH support to SSL analyzer.

When using DHE or DH-Anon, sever key parameters are now available
in scriptland.

Also add script to alert on weak certificate keys or weak dh-params.
---
 scripts/policy/protocols/ssl/weak-keys.bro    |  90 +++++++++++++
 scripts/test-all-policy.bro                   |   1 +
 src/analyzer/protocol/ssl/events.bif          |  19 ++-
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |  17 +++
 src/analyzer/protocol/ssl/ssl-protocol.pac    | 121 +++++++++++++++++-
 .../scripts.base.protocols.ssl.dhe/.stdout    |   1 +
 .../scripts.base.protocols.ssl.dhe/ssl.log    |  10 ++
 .../ssl.log                                   |   8 +-
 .../notice-1.log                              |  12 ++
 testing/btest/Traces/tls/dhe.pcap             | Bin 0 -> 6929 bytes
 .../btest/scripts/base/protocols/ssl/dhe.test |   8 ++
 .../policy/protocols/ssl/weak-keys.bro        |   8 ++
 12 files changed, 288 insertions(+), 7 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/weak-keys.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
 create mode 100644 testing/btest/Traces/tls/dhe.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/dhe.test
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/weak-keys.bro

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..27cfb31554
--- /dev/null
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,90 @@
+##! Generate notices when SSL/TLS connections use certificates or DH parameters
+##! that have potentially unsafe key lengths.
+
+@load base/protocols/ssl
+@load base/frameworks/notice
+@load base/utils/directions-and-hosts
+
+module SSL;
+
+export {
+	redef enum Notice::Type += {
+		## Indicates that a server is using a potentially unsafe key.
+		SSL_Weak_Key,
+	};
+
+	## The category of hosts you would like to be notified about which have
+	## certificates that are going to be expiring soon.  By default, these
+	## notices will be suppressed by the notice framework for 1 day after
+	## a particular certificate has had a notice generated.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	const notify_weak_keys = LOCAL_HOSTS &redef;
+
+	## The minimal key length in bits that is considered to be safe. Any
+	## shorter (non-EC) key lengths will trigger the notice.
+	const notify_minimal_key_length = 1024 &redef;
+
+	## Warn if the DH key length is smaller than the certificate key length.
+	## This is potentially unsafe, because it gives a wrong impression of safety
+	## due to the certificate key length.
+	## However, it is very common and cannot be avoided in some settings (e.g. with
+	## old jave clients).
+	const notify_dh_length_shorter_cert_length = T &redef;
+}
+
+## We check key lengths only for DSA or RSA certificates. For others, we do
+## not know what is safe (e.g. EC is safe even with very short key lengths).
+
+event ssl_established(c: connection) &priority=3
+	{
+	# If there are no certificates or we are not interested in the server, just return.
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	  ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local fuid = c$ssl$cert_chain_fuids[0];
+	local cert = c$ssl$cert_chain[0]$x509$certificate;
+	if ( !cert?$key_type || !cert?$key_length )
+		return;
+	if ( cert$key_type != "dsa" && cert$key_type != "rsa" )
+		return;
+
+	local key_length = cert$key_length;
+
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3
+	{
+	if ( ! addr_matches_host(c$id$resp_h, notify_weak_keys) )
+		return;
+
+	local key_length = |Ys|*8; # key length in bits
+	if ( key_length < notify_minimal_key_length )
+		NOTICE([$note=SSL_Weak_Key,
+			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+			$conn=c, $suppress_for=1day,
+			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		]);
+
+	if ( notify_dh_length_shorter_cert_length &&
+	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
+	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
+		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+		{
+		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
+		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
+			NOTICE([$note=SSL_Weak_Key,
+				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+				$conn=c, $suppress_for=1day,
+				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			]);
+		}
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 5c6ed286fb..43dc6b9dce 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -90,6 +90,7 @@
 @load protocols/ssl/log-hostcerts-only.bro
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
+@load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
 @load tuning/defaults/extracted_file_limits.bro
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 54bb0715d2..46747ecb58 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -59,6 +59,7 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
+##    ssl_dh_server_params
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -117,7 +118,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_server_name ssl_server_curve
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-## Generated a named curve is chosen by the server for the SSL/TLS connection. The
+## Generated if a named curve is chosen by the server for the SSL/TLS connection. The
 ## curve is sent by the server in the ServerKeyExchange message as defined in
 ## :rfc:`4492`, in case an ECDH or ECDHE cipher suite is chosen.
 ##
@@ -131,6 +132,22 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_extension_server_name
 event ssl_server_curve%(c: connection, curve: count%);
 
+## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
+## the server DH parameters, which are sent in the ServerKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## p: The DH prime modulus.
+##
+## q: The DH generator.
+##
+## Ys: The server's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve
+event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 071edf2eac..ef1d862b87 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -409,6 +409,19 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_dh_server_key_exchange(rec: SSLRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(p.length(), (const char*) p.data()),
+		  new StringVal(g.length(), (const char*) g.data()),
+		  new StringVal(Ys.length(), (const char*) Ys.data())
+		  );
+
+		return true;
+		%}
+
 };
 
 refine typeattr Alert += &let {
@@ -501,3 +514,7 @@ refine typeattr CertificateStatus += &let {
 refine typeattr EcServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
 };
+
+refine typeattr DhServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index e19fdb6aac..840aca4b84 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -356,8 +356,9 @@ type CertificateStatus(rec: SSLRecord) = record {
 # Usually, the server key exchange does not contain any information
 # that we are interested in.
 #
-# The one exception is when we are using an elliptic curve cipher suite.
-# In this case, we can extract the final chosen cipher from here.
+# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
+# In this case, we can extract information about the chosen cipher from
+# here.
 type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher() of {
 	TLS_ECDH_ECDSA_WITH_NULL_SHA,
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
@@ -453,6 +454,109 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 		-> ec_server_key_exchange : EcServerKeyExchange(rec);
 
+	# DHE suites
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_NULL_SHA256,
+	TLS_DHE_PSK_WITH_NULL_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_CCM,
+	TLS_DHE_RSA_WITH_AES_256_CCM,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8,
+	TLS_DHE_PSK_WITH_AES_128_CCM,
+	TLS_DHE_PSK_WITH_AES_256_CCM,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	# DH-anon suites
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+	# DH non-anon suites do not send a ServerKeyExchange
+		-> dh_server_key_exchange : DhServerKeyExchange(rec);
+
 	default
 		-> key : bytestring &restofdata &transient;
 };
@@ -466,6 +570,19 @@ type EcServerKeyExchange(rec: SSLRecord) = record {
 	data: bytestring &restofdata &transient;
 };
 
+# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
+# structure. After that, they start to differ, but we do not care about that.
+type DhServerKeyExchange(rec: SSLRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	data: bytestring &restofdata &transient;
+};
+
+
 ######################################################################
 # V3 Certificate Request (7.4.4.)
 ######################################################################
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
new file mode 100644
index 0000000000..c2cc676ec1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/.stdout
@@ -0,0 +1 @@
+key length in bits, 1024
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
new file mode 100644
index 0000000000..652f3b3df7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dhe/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2014-04-27-00-52-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1398558136.319509	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-
+#close	2014-04-27-00-52-03
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
index da805fd35d..b09bd04350 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.known-certs/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2014-04-26-16-45-23
+#open	2014-04-27-06-48-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	session_id	last_alert	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	-	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
-#close	2014-04-26-16-45-23
+1394747126.855035	CXWv6p3arKYeMETxOg	192.168.4.149	60623	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FlaIzV19yTmBYwWwc6,F0BeiV3cMsGkNML0P2,F6PfYi2WUoPdIJrhpg	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+1394747129.505622	CjhGID4nQcgTWjvg4c	192.168.4.149	60624	74.125.239.129	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	-	-	-	T	FOye6a4kt8a7QChqw3,FytlLr3jOQenFAVtYi,FEmnxy4DGbxkmtQJS1	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2014-04-27-06-48-05
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
new file mode 100644
index 0000000000..a8784bd8c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-27-06-41-50
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-06-41-50
diff --git a/testing/btest/Traces/tls/dhe.pcap b/testing/btest/Traces/tls/dhe.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d5e034ef849d9b23bd713a69d6bcb69600ac3560
GIT binary patch
literal 6929
zcmd5=dpML^`+nb<G06FlQx4<YrlxnwsR$)GM@ACL9%EuMhCMS#2gXz+DaoOtLeA$R
z>7ZS7*hwXdB9#cGq9n14Z@t8q?Aq7wy1qYtu4`Rpy|dQ6?sc!{xu18|gW5A07zhVV
z{f&=95DYq14xZ!(Z5U_`_>4B6&E-M|d472Ta&%Dv$P$9g6G`TfIi9F{B~Nm3W*a7F
z&=S5FuBCYcMJmILk4FF`434h?#$s_WEHFngHAVsb4u_dU4{gUmwxEx;N!-ab06GCO
z0SiEj@J;3@GP(kManKUepTP%KxS1|#6h9y_iH^ev%)!5|W~1m}B`nI@>nRRe2~g2C
zi?^Pe9?E-*-VeNQ0(3lAoS<t^4HTH<n}#Bzh;yIgpd5gPwpoZrzJ{WR*Y^J-q8vfD
zTz)2^3>JpGfXE(L?50+3l1jwBu1D>bgUXE^ZbKvQeEoNvxuv=1(W#D_)^H#fv=<u3
zfYA#fb+Eb!M1Yj>Fdl=)^1*x<KA<fQgTrEBEC!3kz!(e$3yA^#C~N01{Im|U6xLHr
zKozd6{6S%SxR#bKSDatc(P@%3&>#t@n>L}t0X+1Y51ME{BJw>^Jd7fq7Wo-sW#Kep
zGKwgJ#X`$KG#Fs9WKV~3PlMlgAD@>cpq%DLeXr=FZi3tBW+Zy*aCIG74FW1aqT?_c
zo2U%v7QuAkC?QCg2MI?&_!S5bzZ~K5X{JxefE5e7jfmg{b)u}JhDBglhz~*{_mhMW
zK|FRH4ljkVu_wtO(r9Onln9waVR0-10|@pUA0kN?`3-$8B&9~CQG;1D!YaBiokL*|
zENCnaeKVa(;m`<Vx-XN?^d%V~2Iyd{)S_t+3kHSFCXfhDEP4Qi6-KaOa%ijonh$+q
z9*q@3V-YM?Aj+~LBt2xw5(HVgcqvKW9dz|UmxLIS^z|3JBWu26yN*nfM`R}#5)Tax
zB{Jv?N+^xNAu?$kk_MtSy;DJ0X08v72}t?`1W@P<a|(+Z$RhgC5FV`dy&^Clgyq3v
z5O_WZ!-HX{WTjEco9o!*4&NtBTvY2)a<vt&XA0)^$B?DTw#&i>x&<rZPQa38UP}U_
zdrLGL{Z>mnyILXP`{eB9m3lWfIfkeWH=oggP1CyWe^Pw0K5gi(;nB3<jN_wbdq+<p
z5jII~P3^D0Xg;5}_OMKI<Ti&mW?XEdsb4lTCUouM^=g+kD;r5;)nu#p-!d4T-zw{1
zoVzHXRZ7aI-(>yP4CG;iu;%68?<%y_?jy@NnEB&B>FI1b>ACx1!pZutR<HNDZK~La
zQzs{$<$GI6xx7ERF7%yOTcNps->FaPSr2wJvl0i~o_;YqfSk7WjO3=br%|QO-S78W
z^~tY=C0->Tb@~|wq$PZchv`Ikm}e7lq9ldGAP^!1bXO9?;XsPzAyQ~Z6DN$!!3*f(
zVLm>7EQ~0j4@Ge@IOz`^A=`@cBfJ-wzOd?$fO#^TSgwc)`n5Vv4w2zX_pQ`xI8s)4
z^5Z;zf#G@|V!!AD%ZYeXlEA4U1m3LE<q3a(*5I^UQ8WUM2Rnd{4I+TY`$h`G7#Q@7
z@j`$T4vsu)2xG9|feu2PqKScJ)ciP{pk<2|p#j83L!QlM5UGIyi-H0fbZQte$Y(PW
zIXpc9gG9bYv}FkY4eaUorw1|#D}p(Gfh;;F3;`JjD@0y)@uRZ|)afxaLMVkzptIS*
zG#>(m3Zl>lBn*KQNZ|O<2vbSoN@37_C>#`!Mf)R|&Y}g-m>f1CaP!2l|E|4)Fv)TO
z7{{Pfm{b}ekjV%mYz|~ijHH7sWBP!lf`VB=fovLq&Ln`n1x<~e!~=7~P!>U8_hE!U
zZwB3WVsSPR(MNSv!4Z)Kh)(+abgd|jZ*oytjG1y#Ssc<r^eJda<bf%{U>Fw}i9{ev
zryd}1)WUBVfmC+TOb~Xk_aZ9l6r@G$2~Su=r64P(r(&WEzD=djDKlrH60;Y9`NYZj
z#L4+YDg_YYAnNEoByoy}LX_Ok4*Yu~0M-bM0ERq#+oX@UoJt~JAa0(QuQE<8$fqt7
z7jXARonQ9QFP%Se!uf?~I)6^dR4u8#IMey%86I1SX03Y|XOVnO%VOw}TZRQIOWomp
zm3#e$Hm{uM5C=6@+}yHV3(~!e@7`{@td=hqC4ax0F%l#HxmsA$)6Hx@f1+{Qv5=y>
zt}nV<xmHSQ<p))ZT^;r}NnXkfnPW|sdz$ZfD1&d`mn!oEs~lUOFXyW*K3Dx!^Fl;&
zVa1I`CA()`?=B{-kV|w;5V735(8hK+8(DpR$wI8rtz*<8;dVocu1C$SKL^^>Qfo%7
zF~|7N`D64Gamv5B^gzd*cf6&U@yvW5>ysQhjb8a}5+3lF-)<9gd7eNHWBV3Axh`2H
zkD+)7Zv?869>T*ZPF5vY?t9_+Kuy~Doyq^NO44tLHV6SwlKwq&K@9@s23f4P7}3`w
z8KO1l`|kg@lKF2XtTN_CQNN(`R{o*{YQx7>a&o)5t}2I0I-*AxJ5@AU;Rm|;y@Eu=
zhn23}6*th^<1Us^wChHZo3q&kquwt)xf(Cba|A-JBrs3t1UQ&6DTFy~8=f}qq?Vhm
z9vf9%E7x)d$$87qG!BZc7#Zz*$1~vzOc>63G6zvU%pT*fYw_Y9S95bN!MDantJBN6
zbRNCl)mT0FM_Z8le6dn@qaaI3GsNMJajEP}vD@kS8?6gYQ=D$=-7)d373vkgvOjeI
zi}fBm!!TuuzEiZ&xn(W7e(5!m>R;kl7etS_Bsr@%n~)?^BYLi+XK#4;;-Klk!@Q1`
zAX5Id@_VHL<VE<8x!+0{Tnwx~9}z>1KnjM(aeN3C{6j?12V&?0P|INacV+7ztJ3#n
zYmHF9LYBElwk$mwsnhebXjoD50ogp|R>1k(5jPNa-%27dzIi`2K45bTrw3x9RDb4C
z?9J?Nj^=^#R>8R-&WLupX1e;n&td#9aF&Hnfdl{MqUZ!%7!ryEe_uagWb^;Idg@JW
z3{>0sKie2usixisCu;6@@2S8Ousra(uPSI`n!T6#TqxGMmE>@6*mZqoN0ayZS7%)Z
z_gDrSzjRW;#dfE=oAy8@dm8>8Ct!VU7h^hZ9AbSw<<R`Jx85vcUuNeH!`vH=2lbmj
zHZ$?t+f^Uma~;2psM(Cg;0E`+EO_6e(i<G_&_1$yc%|O3rJJyX$nLTmts6~8;1fL^
zt?QC5b5Q4B3!MKk7Mf^3zVl;mD<+}NU#>XQ`HNg9oL`P#684(u{EFMZI7mAdg|D;P
zx&33dh>dbm@37?6`tgt)O{<2%VExM}=iFra3Ou(4z9A!}uW=6b`IyduN}S{;<g~={
z_%*IREl*4=yx2?o?MkEjK8^Y9UB!Cc$bW-gb~PimU)H9Da@x|`%b1}0%HvG^$Cg*5
zA)&bx<86tZeUC3iB$jOH^!859^Vv}qJ$Q6+ctWQ0<%^$b_ilYazQkUw$w_YUis|sw
z;|?9P;$Kv8=+D!c;a+y`4IU>oqWIRj)3G!Qn?J5U4@}ha|1|GWewlqZx$mI$v$`c`
ztw#-P705YDgd1Y+*v!2XLo$iK!fK(}IqUCREwSqS@&of}Ii_JJJOx($R$QhpK~!B+
z)z~9$x^efe^4glN#v5M+?Kpz%@5`IyO}QeOLh=JfJ=beWU#PcHUL5yi5@KwK>RZlu
zU$v|_SsI)BUd{OP&KL0w+vNYYweM`)>1DeM`&PSI{e*v9#fHqs{S4l3?ZNUUX7=K7
z{TG9^8%uWO=H2zk1wWTCV!{wc2;yG6w6N~cYEJwPi!VdmSNGZ;yPX>Ht5|3!@a{pM
zSh<ru1B(gi5$6hf-oB8Rpe23%@|$d0_Sg4~(V3TUsokO6-(M*t<gV|;9rP;;8E#_y
z^&vI;S>%%ixtedfy@TqHIq5&Td$<2Yy0$H~P}yzttIghqPaCCu*SGR34Orgm@K1$c
z48$$nWdD@0?OL&!_sBC|_o=NJe~Hz9*m9{_N)o#?XnR2i>xz*=b&tvN-*-p{`BxP>
z2(~Z1o~)clk*<yK=jyv8xSQJhTwinlf~>OhNJQo{;_ypt%^O<!UA2YY?r`jA@R`l4
z0yV0hUtM0W8CUM%-22wO-LKB&X*@Xzu^;SsSA++zJaS)2ksIyFGL6RVl?tu$Jl1&b
zma?p2Cl4KURj2B(XxkI+g)N=O`uEqj6ECEF>1W*By7FfEhM3fpz{8@xN{0n%)5H6i
zrP2~vw-of%yYjN?ht!|x20aYOmNkvivM7#OmGs^=u{u}6^KEPNL&8gq5n1`2Z@j%m
zC3oF-?L4`#z-FcG%EHX&4PB<y<OsdEb3tQ_cm-LD1v~HOOK%}8t=;wEaNXH5`%3Z>
z4VS%3lB1SCkgqhftf&2Xi|@*ojVpHzjW5Y~n6#UMIh;`zm!GrO{(!IVI=>gS>&qL=
z_3?>+oxW*r*TD>VJyzA<ef&B+*RhFe)!_I=n0d@~bw<1n`U@N<3Vu(ci9QGt{pZ&v
zCn5BbL)~xYC5M(SroYIQE3T5QGd7v%imCh13z=jT@#8NMk26t3jnUbNrEdWuLpyyo
zqH`7=k^^@DX#4RZ2A=ch7>Wod{v)Cs0V?U6MifOkqT7!Whaeurb@9x2nV)iCg@XF<
zU1O)lLuuz)7k;%*x!+D`OVV%F5c0EHTejEof!$VqCqqRqwWHX38&v)8UDn*#88ngy
z%SNQPOW+k?_MM2X7W2+r`|F8$HETt%*h5-I(MZirlk_&P*2YYX@`-fKs(>pOqD!*9
z6IN&46Fb5Ryp#Xe@m0H|0hNg>4aoc~lQJ&7bp05$t0C;cn^^n~V&>Ar$=!NU0Y{A9
z_>EQ*@3!Q3MYqo9zgLbF-KctVx;b0E`Qi~iuYu_F8-9NTpvo6p2|y-5BeeZ!+AvWu
z88z**RWnVy^liA7Hq4ddKa#g=+O*5Td5WSs6@WWJaQy`@fYR%wa0}P%>tc@lJ$kgL
zxn-olgJCG(VKTNtL1l}a|D8ddokYEwHe01^tD)m9=ld>gUpcf~wb-L2?cuW41@eT9
z3a9q;cd>Ors`p4oE**!<M$P|l%(vUas7zj>9r7e>WBkJn2M&kFroSn@6&4g4V)*D?
zlz@z(k!+Kl$hgg5mVnjbO(`WB43VSbbHXj0qGP2sKA*WGzqgyT^t@92H7Uk-T5c1u
zaP76W&g0vhSYXwJQP)j26C8=?unTo&y|<US)xWi=y-s}W7F6~jO0sFqxJ+p^?u(2r
zcmCei*yf$rY7$T_Q>+Dkkrxt;Xv~!*&x|>37}H<Y1EP39<H~f*g@KqWzX%X*FJPf)
zkacMLF^ZwE$8jiPZ_+;^f+!9+H-(t^8AX%@r(=H1Ok!Y!By9Sz#Cc<ItJ~`Ao=n4c
zm9px?MzwanLb$Ig8rAosRtzQM1=ZhVKE1AB8+MdY-;+Cho>OUXK)&c4N^AFXVdxT|
zgtl3<N`{Z3wCY@bMl1ID6s?ps|1(<X-Vo>Kod#-;BL6VrxO01TkN9o7a7WxkC{K5M
z?0k`~!TvO1Z~TM7ZVHoag|9YYkW$gTkV8eG^&t4sHY)*a6jLS=AZ=y>l=XlF*p4Q^
zc+=!w@UO4p6;o5z02;73S!z%?o?y5-Pdl5N+P4ZT=()^<F4qz4pnPEN@WAEeS4w34
z&V^r0*f7d#JF>t&<K)wW7Fi+7>m2p9MjF(p!N&sE6_DlZ*qsYKIvbs8BJ(PiWA863
zB3c_syfyZDrfVv6;V+#UnG~%TQE~9aXzu*pc!MyJ<F>W>TQ5*#UH2c1_k8l&<#p9u
z<AYgyOpX^PL!B5G$2DFXRQ~L0`n^cW(c3P%_xEd`{f7dzw!d8=f5xLR_rc%e1;n|{
z&0~i?TW6nbKAfLu5W%yya1+v6nvZ=Z*hN-X&3hczO}ko0lF?ZCN=@fhxO1D3wo&iu
zb8LOv+sRZVvpvOeRa)MWX|}u?pFbP)a|*Wx7A_X$^(Ue-<F<-Ip&(q)_M^-YUGWGi
zbLIA#GN1l3A+tRHk<)TBWuA+kHqJn`IoQ+U-pl#9hmlsBOhpG%E=|lmRMlTqvnVX(
zHsRFyinYAYDn0@flao(Bg`qT-0~$XsT}D}G<i=e4A#%54`cHoWDf&+G)O6%lq9=|b
zGJlC^XNn?*>dZzwvlt-uNe0bEj1T*-RI{>+uConAOgaCLh#={GYiA-(NcDNU1uP$Q
zGODo-Ql&ikP2uHvpEvF6-S|{4aF&qd2doPBH=M^AIadWa&fV2^AXOFJSOTE&bE)hm
zXoS4`fkqjoA8bs507+`jq;Ux#-o6X2@WJ_`ZB`7-=g&i9;C9i>7&x;S42GOQO^Ndc
eh67MU8h(kAKY>#CZz%nZzeFjRKq>eY%6|Z?SPkO<

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/dhe.test b/testing/btest/scripts/base/protocols/ssl/dhe.test
new file mode 100644
index 0000000000..f41cb70fab
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/dhe.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff ssl.log
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string)
+  {
+  print "key length in bits", |Ys|*8;
+  }
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
new file mode 100644
index 0000000000..ba07b6e647
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-1.log
+# @TEST-EXEC: btest-diff notice-1.log
+
+@load protocols/ssl/weak-keys
+
+redef SSL::notify_weak_keys = ALL_HOSTS;
+redef SSL::notify_minimal_key_length = 4096;

From ef5b021e77c04bcb1921b39dbffa975fc9722a4c Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sun, 27 Apr 2014 00:09:00 -0700
Subject: [PATCH 202/220] Polish changes for ecdhe/dhe

---
 scripts/policy/protocols/ssl/weak-keys.bro    | 30 +++++++++----------
 src/analyzer/protocol/ssl/ssl-defs.pac        |  2 +-
 src/analyzer/protocol/ssl/ssl-protocol.pac    |  4 +--
 .../{notice-1.log => notice.log}              | 10 +++----
 .../policy/protocols/ssl/weak-keys.bro        |  3 +-
 5 files changed, 24 insertions(+), 25 deletions(-)
 rename testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/{notice-1.log => notice.log} (55%)

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index 27cfb31554..f8a7b504b3 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -10,7 +10,7 @@ module SSL;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a server is using a potentially unsafe key.
-		SSL_Weak_Key,
+		Weak_Key,
 	};
 
 	## The category of hosts you would like to be notified about which have
@@ -52,10 +52,10 @@ event ssl_established(c: connection) &priority=3
 	local key_length = cert$key_length;
 
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
+		NOTICE([$note=Weak_Key,
 		  $msg=fmt("Host uses weak certificate with %d bit key", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 	}
 
@@ -66,25 +66,25 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
 
 	local key_length = |Ys|*8; # key length in bits
 	if ( key_length < notify_minimal_key_length )
-		NOTICE([$note=SSL_Weak_Key,
-			$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
-			$conn=c, $suppress_for=1day,
-			$identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
+		NOTICE([$note=Weak_Key,
+		  $msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
+		  $conn=c, $suppress_for=1day,
+		  $identifier=cat(c$id$orig_h, c$id$orig_p, key_length)
 		]);
 
 	if ( notify_dh_length_shorter_cert_length &&
 	  c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
 	  c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$key_type &&
-		( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
-		  c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
+	  ( c$ssl$cert_chain[0]$x509$certificate$key_type == "rsa" ||
+	    c$ssl$cert_chain[0]$x509$certificate$key_type == "dsa" ) )
 		{
 		if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
 		  c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
-			NOTICE([$note=SSL_Weak_Key,
-				$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
-				key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
-				$conn=c, $suppress_for=1day,
-				$identifier=cat(c$id$orig_h, c$id$orig_p)
+			NOTICE([$note=Weak_Key,
+			  $msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
+			  key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
+			  $conn=c, $suppress_for=1day,
+			  $identifier=cat(c$id$orig_h, c$id$orig_p)
 			]);
 		}
 	}
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index a4074443b9..29eb1d1fb9 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -62,7 +62,7 @@ enum SSLExtensions {
 };
 
 enum ECCurveType {
-  EXPLICIT_PRIME = 1,
+	EXPLICIT_PRIME = 1,
 	EXPLICIT_CHAR = 2,
 	NAMED_CURVE = 3
 };
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 840aca4b84..af220f39de 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -566,7 +566,7 @@ type ServerKeyExchange(rec: SSLRecord) = case $context.connection.chosen_cipher(
 # We also do not parse the actual signature data following the named curve.
 type EcServerKeyExchange(rec: SSLRecord) = record {
 	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3
+	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
 	data: bytestring &restofdata &transient;
 };
 
@@ -739,7 +739,7 @@ refine connection SSL_Conn += {
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
 
-	function set_cipher(cipher: int64) : bool
+	function set_cipher(cipher: uint32) : bool
 		%{
 		chosen_cipher_ = cipher;
 		return true;
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
similarity index 55%
rename from testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
rename to testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
index a8784bd8c8..b44fb54b70 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-1.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-27-06-41-50
+#open	2014-04-27-07-15-32
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::SSL_Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2014-04-27-06-41-50
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CXWv6p3arKYeMETxOg	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2014-04-27-07-15-32
diff --git a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
index ba07b6e647..42ef2ecc16 100644
--- a/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/weak-keys.bro
@@ -1,6 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
-# @TEST-EXEC: mv notice.log notice-1.log
-# @TEST-EXEC: btest-diff notice-1.log
+# @TEST-EXEC: btest-diff notice.log
 
 @load protocols/ssl/weak-keys
 

From 7d0e5067c76ce5f3719cb203a1b692f78b64eecf Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Sun, 27 Apr 2014 16:25:32 -0700
Subject: [PATCH 203/220] fix broxygen errors

---
 scripts/policy/protocols/ssl/weak-keys.bro | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/policy/protocols/ssl/weak-keys.bro b/scripts/policy/protocols/ssl/weak-keys.bro
index f8a7b504b3..a6f96bfd53 100644
--- a/scripts/policy/protocols/ssl/weak-keys.bro
+++ b/scripts/policy/protocols/ssl/weak-keys.bro
@@ -32,9 +32,9 @@ export {
 	const notify_dh_length_shorter_cert_length = T &redef;
 }
 
-## We check key lengths only for DSA or RSA certificates. For others, we do
-## not know what is safe (e.g. EC is safe even with very short key lengths).
-
+# We check key lengths only for DSA or RSA certificates. For others, we do
+# not know what is safe (e.g. EC is safe even with very short key lengths).
+#
 event ssl_established(c: connection) &priority=3
 	{
 	# If there are no certificates or we are not interested in the server, just return.

From 4b059ea15ac6bba0c5189532bc1c749ec066b1c6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 29 Apr 2014 12:44:53 -0500
Subject: [PATCH 204/220] Improve file analysis manager shutdown/cleanup.

file_analysis::Manager's dtor now doesn't assume any more analysis
progress can be made because too many of Bro's other subsystems
are shutdown by that point.  Any file analysis requests made after
Terminate cannot be reliably processed.
---
 src/file_analysis/Manager.cc | 22 +++++++++++++++++++++-
 src/main.cc                  |  2 +-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 3f04ebfc2b..393dadfdc7 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -27,7 +27,22 @@ Manager::Manager()
 
 Manager::~Manager()
 	{
-	Terminate();
+	// Have to assume that too much of Bro has been shutdown by this point
+	// to do anything more than reclaim memory.
+
+	File* f;
+	bool* b;
+
+	IterCookie* it = id_map.InitForIteration();
+
+	while ( (f = id_map.NextEntry(it)) )
+		delete f;
+
+	it = ignored.InitForIteration();
+
+	while( (b = ignored.NextEntry(it)) )
+		delete b;
+
 	delete magic_state;
 	}
 
@@ -58,10 +73,15 @@ void Manager::Terminate()
 	HashKey* key;
 
 	while ( id_map.NextEntry(key, it) )
+		{
 		keys.push_back(static_cast<const char*>(key->Key()));
+		delete key;
+		}
 
 	for ( size_t i = 0; i < keys.size(); ++i )
 		Timeout(keys[i], true);
+
+	mgr.Drain();
 	}
 
 string Manager::HashHandle(const string& handle) const
diff --git a/src/main.cc b/src/main.cc
index cf1f82b1eb..10b66083a8 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -379,10 +379,10 @@ void terminate_bro()
 	delete secondary_path;
 	delete remote_serializer;
 	delete analyzer_mgr;
+	delete file_mgr;
 	delete log_mgr;
 	delete plugin_mgr;
 	delete thread_mgr;
-	delete file_mgr;
 	delete reporter;
 
 	reporter = 0;

From d7d5497436f8b3bf6101adca4e1d2aa2c1113aa0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 29 Apr 2014 15:26:19 -0500
Subject: [PATCH 205/220] Improve/standardize some malloc/realloc return val
 checks.

---
 src/file_analysis/analyzer/x509/X509.cc       |  4 ++++
 src/file_analysis/analyzer/x509/functions.bif |  4 ++++
 src/logging/Manager.cc                        | 10 ++++++----
 src/threading/BasicThread.cc                  |  2 +-
 src/util.cc                                   |  4 ++--
 5 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 86f13f8760..c036fca7ed 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -184,6 +184,10 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	// Use OPENSSL_malloc here. Using new or anything else can lead
 	// to interesting, hard to debug segfaults.
 	char *buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		out_of_memory("X509::ParseExtension");
+
 	BIO_read(bio, (void*)buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 	OPENSSL_free(buffer);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 00042d860a..e6ed138c74 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -82,6 +82,10 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	int length = BIO_pending(bio);
 	// use OPENSS_malloc here. Otherwhise, interesting problems will happen.
 	char *buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		out_of_memory("x509_get_certificate_string");
+
 	BIO_read(bio, (void*) buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 	OPENSSL_free(buffer);
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 8d833ddbc6..55e0fddb5a 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -537,17 +537,19 @@ bool Manager::TraverseRecord(Stream* stream, Filter* filter, RecordType* rt,
 
 		filter->indices.push_back(new_indices);
 
-		filter->fields = (threading::Field**)
+		void* tmp =
 			realloc(filter->fields,
-				sizeof(threading::Field*) * ++filter->num_fields);
+				sizeof(threading::Field*) * (filter->num_fields + 1));
 
-		if ( ! filter->fields )
+		if ( ! tmp )
 			{
-			--filter->num_fields;
 			reporter->Error("out of memory in add_filter");
 			return false;
 			}
 
+		++filter->num_fields;
+		filter->fields = (threading::Field**) tmp;
+
 		TypeTag st = TYPE_VOID;
 
 		if ( t->Tag() == TYPE_TABLE )
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index 7f5dbfc56b..ffee21bc16 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -24,7 +24,7 @@ BasicThread::BasicThread()
 	pthread = 0;
 
 	buf_len = STD_FMT_BUF_LEN;
-	buf = (char*) malloc(buf_len);
+	buf = (char*) safe_malloc(buf_len);
 
 	strerr_buffer = 0;
 
diff --git a/src/util.cc b/src/util.cc
index 6190067aa6..f5bbe9cf96 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -568,7 +568,7 @@ const char* fmt(const char* format, ...)
 	static unsigned int buf_len = 1024;
 
 	if ( ! buf )
-		buf = (char*) malloc(buf_len);
+		buf = (char*) safe_malloc(buf_len);
 
 	va_list al;
 	va_start(al, format);
@@ -578,7 +578,7 @@ const char* fmt(const char* format, ...)
 	if ( (unsigned int) n >= buf_len )
 		{ // Not enough room, grow the buffer.
 		buf_len = n + 32;
-		buf = (char*) realloc(buf, buf_len);
+		buf = (char*) safe_realloc(buf, buf_len);
 
 		// Is it portable to restart?
 		va_start(al, format);

From 636262d86591251e08110074074b04331854bef9 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 30 Apr 2014 12:35:09 -0700
Subject: [PATCH 206/220] Correct a notice for heartbleed. The notice is thrown
 correctly, just the message conteined wrong values.

---
 scripts/policy/protocols/ssl/heartbleed.bro                 | 2 +-
 .../notice-encrypted.log                                    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index c4842d6a0a..543430e156 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -106,7 +106,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
 				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
-					c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size),
+					c$ssl$last_originator_heartbeat_request_size, length),
 				$conn=c,
 				$identifier=c$uid # only throw once per connection
 				]);
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index 863d8dd9c0..dfe9dcec74 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-24-19-05-00
+#open	2014-04-30-19-34-39
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-24-19-05-00
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-30-19-34-39

From 385438d47c6ca263f664fe85fc41584ff4ade085 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 13:04:34 -0500
Subject: [PATCH 207/220] Change X509 extension value parsing to not abort on
 malloc failures.

Also comes with factoring that out in to it's own function and
additional error check before using a return value from BIO_pending.
---
 src/file_analysis/analyzer/x509/X509.cc       | 59 +++++++++++++++----
 src/file_analysis/analyzer/x509/X509.h        |  8 +++
 src/file_analysis/analyzer/x509/functions.bif | 14 +----
 3 files changed, 57 insertions(+), 24 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index c036fca7ed..162e154df9 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -159,6 +159,49 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 	return pX509Cert;
 	}
 
+StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
+	{
+	BIO_flush(bio);
+	ERR_clear_error();
+	int length = BIO_pending(bio);
+
+	if ( ERR_peek_error() != 0 )
+		{
+		char tmp[120];
+		ERR_error_string(ERR_get_error(), tmp);
+		reporter->Error("X509::GetExtensionFromBIO: %s", tmp);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	if ( length == 0 )
+		{
+		BIO_free_all(bio);
+		return new StringVal("");
+		}
+
+	// TODO: see about using regular malloc here, there were unknown problems
+	// using anything other than OPENSSL_malloc that need investigation.
+	char* buffer = (char*) OPENSSL_malloc(length);
+
+	if ( ! buffer )
+		{
+		// Just emit an error here and try to continue instead of aborting
+		// because it's unclear the length value is very reliable.
+		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+
+	OPENSSL_free(buffer);
+	BIO_free_all(bio);
+
+	return ext_val;
+	}
+
 void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	{
 	char name[256];
@@ -178,20 +221,10 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	if( ! X509V3_EXT_print(bio, ex, 0, 0))
 		M_ASN1_OCTET_STRING_print(bio,ex->value);
 
-	BIO_flush(bio);
-	int length = BIO_pending(bio);
+	StringVal* ext_val = GetExtensionFromBIO(bio);
 
-	// Use OPENSSL_malloc here. Using new or anything else can lead
-	// to interesting, hard to debug segfaults.
-	char *buffer = (char*) OPENSSL_malloc(length);
-
-	if ( ! buffer )
-		out_of_memory("X509::ParseExtension");
-
-	BIO_read(bio, (void*)buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-	OPENSSL_free(buffer);
-	BIO_free_all(bio);
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
 
 	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
 	pX509Ext->Assign(0, new StringVal(name));
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 8667d870b1..6a3e6393a3 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -37,6 +37,14 @@ public:
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
 
+	/**
+	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+	 * written.
+	 * @param bio the OpenSSL BIO to read.
+	 * @return The X509 extension value.
+	 */
+	static StringVal* GetExtensionFromBIO(BIO* bio);
+
 protected:
 	X509(RecordVal* args, File* file);
 
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index e6ed138c74..176df53bdb 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -78,18 +78,10 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());
 
-	BIO_flush(bio);
-	int length = BIO_pending(bio);
-	// use OPENSS_malloc here. Otherwhise, interesting problems will happen.
-	char *buffer = (char*) OPENSSL_malloc(length);
+	StringVal* ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
 
-	if ( ! buffer )
-		out_of_memory("x509_get_certificate_string");
-
-	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-	OPENSSL_free(buffer);
-	BIO_free_all(bio);
+	if ( ! ext_val )
+		ext_val = new StringVal("");
 
 	return ext_val;
 	%}

From 5b9d190f2c3b7a7c91d877aa98044c59cce16385 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 14:08:07 -0500
Subject: [PATCH 208/220] Fix missing "irc-dcc-data" service field from IRC DCC
 connections.

---
 scripts/base/protocols/irc/dcc-send.bro               |  2 +-
 .../scripts.base.protocols.irc.basic/conn.log         | 11 +++++++++++
 testing/btest/scripts/base/protocols/irc/basic.test   |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log

diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
index d95eb97517..437724004a 100644
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -76,7 +76,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 
-event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in dcc_expected_transfers )
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
new file mode 100644
index 0000000000..411e57f8ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2014-05-01-19-07-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
+1311189318.898709	CjhGID4nQcgTWjvg4c	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	0	ShAdDaFf	28	1592	43	44452	(empty)
+1311189164.064603	CXWv6p3arKYeMETxOg	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	0	ShADdaf	63	3761	52	28194	(empty)
+#close	2014-05-01-19-07-07
diff --git a/testing/btest/scripts/base/protocols/irc/basic.test b/testing/btest/scripts/base/protocols/irc/basic.test
index 32358d12a4..618f4d9079 100644
--- a/testing/btest/scripts/base/protocols/irc/basic.test
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@@ -3,6 +3,7 @@
 
 # @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff irc.log
+# @TEST-EXEC: btest-diff conn.log
 
 # dcc mime types are irrelevant to this test, so filter it out
 event bro_init()

From 8b7d5a68b2e774aa83056889d6ed6814e8d6b1ec Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 1 May 2014 15:00:03 -0500
Subject: [PATCH 209/220] Fix reference counting for lookup_ID() usages.

That function refs the ID before returning it, but callers were never
assuming responsibility for that reference.
---
 src/Debug.cc        |  6 ++++++
 src/EventHandler.cc |  5 ++++-
 src/Func.cc         |  1 +
 src/RuleMatcher.cc  |  5 ++++-
 src/Type.cc         |  1 +
 src/Var.cc          | 20 ++++++++++++++++----
 src/scan.l          | 12 ++++++++++--
 7 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/src/Debug.cc b/src/Debug.cc
index 94b8abf952..09e8810edb 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -192,6 +192,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		string fullname = make_full_var_name(current_module.c_str(), s.c_str());
 		debug_msg("Function %s not defined.\n", fullname.c_str());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -199,6 +200,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s not declared.\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -206,6 +208,7 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s declared but not defined.\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
@@ -216,9 +219,12 @@ static void parse_function_name(vector<ParseLocationRec>& result,
 		{
 		debug_msg("Function %s is a built-in function\n", id->Name());
 		plr.type = plrUnknown;
+		Unref(id);
 		return;
 		}
 
+	Unref(id);
+
 	Stmt* body = 0;	// the particular body we care about; 0 = all
 
 	if ( bodies.size() == 1 )
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index a5dc62148a..2f0a19ccc0 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -39,7 +39,10 @@ FuncType* EventHandler::FType()
 	if ( id->Type()->Tag() != TYPE_FUNC )
 		return 0;
 
-	return type = id->Type()->AsFuncType();
+	type = id->Type()->AsFuncType();
+	Unref(id);
+
+	return type;
 	}
 
 void EventHandler::SetLocalHandler(Func* f)
diff --git a/src/Func.cc b/src/Func.cc
index 11749a8a9c..1f3ac6f93c 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -475,6 +475,7 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 
 	type = id->Type()->Ref();
 	id->SetVal(new Val(this));
+	Unref(id);
 	}
 
 BuiltinFunc::~BuiltinFunc()
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 5cea843c8d..ca08388b10 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -1286,7 +1286,10 @@ static Val* get_bro_val(const char* label)
 		return 0;
 		}
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+
+	return rval;
 	}
 
 
diff --git a/src/Type.cc b/src/Type.cc
index 672153d957..b840fa98e3 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1449,6 +1449,7 @@ void EnumType::CheckAndAddName(const string& module_name, const char* name,
 		}
 	else
 		{
+		Unref(id);
 		reporter->Error("identifier or enumerator value in enumerated type definition already exists");
 		SetError();
 		return;
diff --git a/src/Var.cc b/src/Var.cc
index 52754e3265..a34a0142eb 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -385,6 +385,7 @@ void begin_func(ID* id, const char* module_name, function_flavor flavor,
 		if ( arg_id && ! arg_id->IsGlobal() )
 			arg_id->Error("argument name used twice");
 
+		Unref(arg_id);
 		arg_id = install_ID(arg_i->id, module_name, false, false);
 		arg_id->SetType(arg_i->type->Ref());
 		}
@@ -442,10 +443,13 @@ void end_func(Stmt* body, attr_list* attrs)
 Val* internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+
 	if ( ! id )
 		reporter->InternalError("internal variable %s missing", name);
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+	return rval;
 	}
 
 Val* internal_const_val(const char* name)
@@ -457,13 +461,17 @@ Val* internal_const_val(const char* name)
 	if ( ! id->IsConst() )
 		reporter->InternalError("internal variable %s is not constant", name);
 
-	return id->ID_Val();
+	Val* rval = id->ID_Val();
+	Unref(id);
+	return rval;
 	}
 
 Val* opt_internal_val(const char* name)
 	{
 	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
-	return id ? id->ID_Val() : 0;
+	Val* rval = id ? id->ID_Val() : 0;
+	Unref(id);
+	return rval;
 	}
 
 double opt_internal_double(const char* name)
@@ -503,6 +511,8 @@ ListVal* internal_list_val(const char* name)
 		return 0;
 
 	Val* v = id->ID_Val();
+	Unref(id);
+
 	if ( v )
 		{
 		if ( v->Type()->Tag() == TYPE_LIST )
@@ -528,7 +538,9 @@ BroType* internal_type(const char* name)
 	if ( ! id )
 		reporter->InternalError("internal type %s missing", name);
 
-	return id->Type();
+	BroType* rval = id->Type();
+	Unref(id);
+	return rval;
 	}
 
 Func* internal_func(const char* name)
diff --git a/src/scan.l b/src/scan.l
index 18233fb58a..7de38cbfbc 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -606,22 +606,30 @@ void do_atifdef(const char* id)
 	{
 	++current_depth;
 
-	if ( ! lookup_ID(id, current_module.c_str()) )
+	ID* i;
+
+	if ( ! (i = lookup_ID(id, current_module.c_str())) )
 		{
 		if_stack.append(current_depth);
 		BEGIN(IGNORE);
 		}
+
+	Unref(i);
 	}
 
 void do_atifndef(const char *id)
 	{
 	++current_depth;
 
-	if ( lookup_ID(id, current_module.c_str()) )
+	ID* i;
+
+	if ( (i = lookup_ID(id, current_module.c_str())) )
 		{
 		if_stack.append(current_depth);
 		BEGIN(IGNORE);
 		}
+
+	Unref(i);
 	}
 
 void do_atelse()

From 83a15886a732e34219f594ffd9539e3999f213e7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 1 May 2014 20:45:35 -0700
Subject: [PATCH 210/220] Updating CHANGES and NEWS for earlier X509 updates.

BIT-1150 #merged
---
 CHANGES | 15 +++++++++++++--
 NEWS    |  3 +++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 631e781d9a..e7a1cc9bef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -207,8 +207,19 @@
 
 2.2-294 | 2014-03-30 22:08:25 +0200
 
-  * TODO: x509 changes. (Bernhard Amann)
-    
+  * Rework and move X509 certificate processing from the SSL protocol
+    analyzer to a dedicated file analyzer. This will allow us to
+    examine X509 certificates from sources other than SSL in the
+    future. Furthermore, Bro now parses more fields and extensions
+    from the certificates (e.g. elliptic curve information, subject
+    alternative names, basic constraints). Certificate validation also
+    was improved, should be easier to use and exposes information like
+    the full verified certificate chain. (Bernhard Amann)
+
+    This update changes the format of ssl.log and adds a new x509.log
+    with certificate information. Furthermore all x509 events and
+    handling functions have changed.
+
 2.2-271 | 2014-03-30 20:25:17 +0200
 
   * Add unit tests covering vector/set/table ctors/inits. (Jon Siwek)
diff --git a/NEWS b/NEWS
index 9de61a2dc4..ac12931819 100644
--- a/NEWS
+++ b/NEWS
@@ -62,6 +62,9 @@ Changed Functionality
 
       event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info);
 
+- Generally, all x509 events and handling functions have changed their
+  signatures.
+
 - Bro no longer special-cases SYN/FIN/RST-filtered traces by not
   reporting missing data. The old behavior can be reverted by
   redef'ing "detect_filtered_trace".

From bf9bddd4fc8dce1053e0ec7f021c00effd5dc814 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 1 May 2014 21:05:17 -0700
Subject: [PATCH 211/220] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 5266f45a68..c44ec9c13d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5266f45a6839ea9b6f1825ba0fd448a721cb42be
+Subproject commit c44ec9c13d87b8589d6f1549b9c523130fcc2a39

From 3905b6fc70fe2c1948efdaf04e7154d83756de42 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 2 May 2014 12:09:06 -0500
Subject: [PATCH 212/220] Clean up base SNMP script.  Mostly docs, some logic
 refactors.

---
 CHANGES                              | 14 +++++
 VERSION                              |  2 +-
 scripts/base/protocols/snmp/main.bro | 82 ++++++++++++++++------------
 3 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/CHANGES b/CHANGES
index e7a1cc9bef..b49fa5239c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,18 @@
 
+2.2-409 | 2014-05-02 12:09:06 -0500
+
+  * Clean up and documentation for base SNMP script. (Jon Siwek)
+
+  * Update base SNMP script to now produce a snmp.log. (Seth Hall)
+
+  * Add DH support to SSL analyzer.  When using DHE or DH-Anon, sever
+    key parameters are now available in scriptland.  Also add script to
+    alert on weak certificate keys or weak dh-params. (Bernhard Amann)
+
+  * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann)
+
+  * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann)
+
 2.2-397 | 2014-05-01 20:29:20 -0700
 
   * Fix reference counting for lookup_ID() usages. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 720c163a49..12e210c885 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-397
+2.2-409
diff --git a/scripts/base/protocols/snmp/main.bro b/scripts/base/protocols/snmp/main.bro
index 1c92e73ce0..4921794408 100644
--- a/scripts/base/protocols/snmp/main.bro
+++ b/scripts/base/protocols/snmp/main.bro
@@ -1,45 +1,68 @@
-##! Enables analysis of SNMP datagrams.
+##! Enables analysis and logging of SNMP datagrams.
 
 module SNMP;
 
 export {
 	redef enum Log::ID += { LOG };
 
+	## Information tracked per SNMP session.
 	type Info: record {
+		## Timestamp of first packet belonging to the SNMP session.
 		ts: time &log;
+		## The unique ID for the connection.
 		uid: string &log;
+		## The connection's 5-tuple of addresses/ports (ports inherently
+		## include transport protocol information)
 		id: conn_id &log;
+		## The amount of time between the first packet beloning to
+		## the SNMP session and the latest one seen.
 		duration: interval &log &default=0secs;
-
+		## The version of SNMP being used.
 		version: string &log;
+		## The community string of the first SNMP packet associated with
+		## the session.  This is used as part of SNMP's (v1 and v2c)
+		## administrative/security framework.  See :rfc:`1157` or :rfc:`1901`.
 		community: string &log &optional;
 
+		## The number of variable bindings in GetRequest/GetNextRequest PDUs
+		## seen for the session.
 		get_requests:      count &log &default=0;
+		## The number of variable bindings in GetBulkRequest PDUs seen for
+		## the session.
 		get_bulk_requests: count &log &default=0;
+		## The number of variable bindings in GetResponse/Response PDUs seen
+		## for the session.
 		get_responses:     count &log &default=0;
-
+		## The number of variable bindings in SetRequest PDUs seen for
+		## the session.
 		set_requests: count &log &default=0;
 
+		## A system description of the SNMP responder endpoint.
 		display_string: string &log &optional;
+		## The time at which the SNMP responder endpoint claims it's been
+		## up since.
 		up_since: time &log &optional;
 	};
 
-	redef record connection += {
-		snmp: SNMP::Info &optional;
-	};
+	## Maps an SNMP version integer to a human readable string.
+	const version_map: table[count] of string = {
+		[0] = "1",
+		[1] = "2c",
+		[3] = "3",
+	} &redef &default="unknown";
 
+	## Event that can be handled to access the SNMP record as it is sent on
+	## to the logging framework.
 	global log_snmp: event(rec: Info);
 }
 
+redef record connection += {
+	snmp: SNMP::Info &optional;
+};
+
 const ports = { 161/udp, 162/udp };
 redef likely_server_ports += { ports };
 
-const version_map = {
-	[0] = "1",
-	[1] = "2c",
-	[3] = "3",
-};
-
 event bro_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, ports);
@@ -50,17 +73,18 @@ function init_state(c: connection, h: SNMP::Header): Info
 	{
 	if ( ! c?$snmp )
 		{
-		c$snmp = Info($ts=network_time(), 
+		c$snmp = Info($ts=network_time(),
 		              $uid=c$uid, $id=c$id,
 		              $version=version_map[h$version]);
 		}
 
 	local s = c$snmp;
+
 	if ( ! s?$community )
 		{
 		if ( h?$v1 )
 			s$community = h$v1$community;
-		if ( h?$v2 )
+		else if ( h?$v2 )
 			s$community = h$v2$community;
 		}
 
@@ -78,39 +102,30 @@ event connection_state_remove(c: connection) &priority=-5
 event snmp_get_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_requests;
-		}
+	s$get_requests += |pdu$bindings|;
 	}
 
 event snmp_get_bulk_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::BulkPDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_bulk_requests;
-		}
+	s$get_bulk_requests += |pdu$bindings|;
 	}
 
 event snmp_get_next_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$get_requests;
-		}
+	s$get_requests += |pdu$bindings|;
 	}
 
 event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
+	s$get_responses += |pdu$bindings|;
 
 	for ( i in pdu$bindings )
 		{
-		++s$get_responses;
-
 		local binding = pdu$bindings[i];
+
 		if ( binding$oid == "1.3.6.1.2.1.1.1.0" && binding$value?$octets )
 			c$snmp$display_string = binding$value$octets;
 		else if ( binding$oid == "1.3.6.1.2.1.1.3.0" && binding$value?$unsigned )
@@ -124,10 +139,7 @@ event snmp_response(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNM
 event snmp_set_request(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU) &priority=5
 	{
 	local s = init_state(c, header);
-	for ( i in pdu$bindings )
-		{
-		++s$set_requests;
-		}
+	s$set_requests += |pdu$bindings|;
 	}
 
 event snmp_trap(c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::TrapPDU) &priority=5
@@ -165,6 +177,6 @@ event snmp_encrypted_pdu(c: connection, is_orig: bool, header: SNMP::Header) &pr
 	init_state(c, header);
 	}
 
-event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
-	{
-	}
+#event snmp_unknown_header_version(c: connection, is_orig: bool, version: count) &priority=5
+#	{
+#	}

From b15bbf4f333662374e5316af0b70ecc149f8ec65 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 2 May 2014 12:49:53 -0500
Subject: [PATCH 213/220] Replace an unneeded OPENSSL_malloc call.

---
 CHANGES                                 | 4 ++++
 VERSION                                 | 2 +-
 src/file_analysis/analyzer/x509/X509.cc | 6 ++----
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index b49fa5239c..9bb4bf6a70 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.2-410 | 2014-05-02 12:49:53 -0500
+
+  * Replace an unneeded OPENSSL_malloc call. (Jon Siwek)
+
 2.2-409 | 2014-05-02 12:09:06 -0500
 
   * Clean up and documentation for base SNMP script. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 12e210c885..861e91890f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-409
+2.2-410
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 3cd886657b..debe38deaa 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -180,9 +180,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 		return new StringVal("");
 		}
 
-	// TODO: see about using regular malloc here, there were unknown problems
-	// using anything other than OPENSSL_malloc that need investigation.
-	char* buffer = (char*) OPENSSL_malloc(length);
+	char* buffer = (char*) malloc(length);
 
 	if ( ! buffer )
 		{
@@ -196,7 +194,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 	BIO_read(bio, (void*) buffer, length);
 	StringVal* ext_val = new StringVal(length, buffer);
 
-	OPENSSL_free(buffer);
+	free(buffer);
 	BIO_free_all(bio);
 
 	return ext_val;

From 713fd2fbafde195a7aa508e145760990e0988977 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:07:23 -0500
Subject: [PATCH 214/220] Fix new []/delete mismatch in ~Base64Converter.

---
 src/Base64.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Base64.cc b/src/Base64.cc
index 50732534ab..e76621e634 100644
--- a/src/Base64.cc
+++ b/src/Base64.cc
@@ -104,7 +104,7 @@ Base64Converter::Base64Converter(analyzer::Analyzer* arg_analyzer, const string&
 Base64Converter::~Base64Converter()
 	{
 	if ( base64_table != default_base64_table )
-		delete base64_table;
+		delete [] base64_table;
 	}
 
 int Base64Converter::Decode(int len, const char* data, int* pblen, char** pbuf)

From 965e4d421d66b79d9c8fa363b65f63955e93f583 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:13:43 -0500
Subject: [PATCH 215/220] Fix buffer overlows in IP address masking logic.

That could occur either in taking a zero-length mask on an IPv6 address
(e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g.
via the remask_addr BuiltIn Function).
---
 src/IPAddr.cc | 58 +++++++++++++++++++++++++--------------------------
 1 file changed, 28 insertions(+), 30 deletions(-)

diff --git a/src/IPAddr.cc b/src/IPAddr.cc
index 7fd3755042..7ccc3dce07 100644
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <cstdlib>
 #include <string>
 #include <vector>
 #include "IPAddr.h"
@@ -45,6 +46,14 @@ HashKey* BuildConnIDHashKey(const ConnID& id)
 	return new HashKey(&key, sizeof(key));
 	}
 
+static inline uint32_t bit_mask32(int bottom_bits)
+	{
+	if ( bottom_bits >= 32 )
+		return 0xffffffff;
+
+	return (((uint32_t) 1) << bottom_bits) - 1;
+	}
+
 void IPAddr::Mask(int top_bits_to_keep)
 	{
 	if ( top_bits_to_keep < 0 || top_bits_to_keep > 128 )
@@ -53,25 +62,20 @@ void IPAddr::Mask(int top_bits_to_keep)
 		return;
 		}
 
-	uint32_t tmp[4];
-	memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
+	uint32_t mask_bits[4] = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff };
+	std::ldiv_t res = std::ldiv(top_bits_to_keep, 32);
 
-	int word = 3;
-	int bits_to_chop = 128 - top_bits_to_keep;
+	if ( res.quot < 4 )
+		mask_bits[res.quot] =
+		        htonl(mask_bits[res.quot] & ~bit_mask32(32 - res.rem));
 
-	while ( bits_to_chop >= 32 )
-		{
-		tmp[word] = 0;
-		--word;
-		bits_to_chop -= 32;
-		}
+	for ( unsigned int i = res.quot + 1; i < 4; ++i )
+		mask_bits[i] = 0;
 
-	uint32_t w = ntohl(tmp[word]);
-	w >>= bits_to_chop;
-	w <<= bits_to_chop;
-	tmp[word] = htonl(w);
+	uint32_t* p = reinterpret_cast<uint32_t*>(in6.s6_addr);
 
-	memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
+	for ( unsigned int i = 0; i < 4; ++i )
+		p[i] &= mask_bits[i];
 	}
 
 void IPAddr::ReverseMask(int top_bits_to_chop)
@@ -82,25 +86,19 @@ void IPAddr::ReverseMask(int top_bits_to_chop)
 		return;
 		}
 
-	uint32_t tmp[4];
-	memcpy(tmp, in6.s6_addr, sizeof(in6.s6_addr));
+	uint32_t mask_bits[4] = { 0, 0, 0, 0 };
+	std::ldiv_t res = std::ldiv(top_bits_to_chop, 32);
 
-	int word = 0;
-	int bits_to_chop = top_bits_to_chop;
+	if ( res.quot < 4 )
+		mask_bits[res.quot] = htonl(bit_mask32(32 - res.rem));
 
-	while ( bits_to_chop >= 32 )
-		{
-		tmp[word] = 0;
-		++word;
-		bits_to_chop -= 32;
-		}
+	for ( unsigned int i = res.quot + 1; i < 4; ++i )
+		mask_bits[i] = 0xffffffff;
 
-	uint32_t w = ntohl(tmp[word]);
-	w <<= bits_to_chop;
-	w >>= bits_to_chop;
-	tmp[word] = htonl(w);
+	uint32_t* p = reinterpret_cast<uint32_t*>(in6.s6_addr);
 
-	memcpy(in6.s6_addr, tmp, sizeof(in6.s6_addr));
+	for ( unsigned int i = 0; i < 4; ++i )
+		p[i] &= mask_bits[i];
 	}
 
 void IPAddr::Init(const std::string& s)

From af3b87e100a89d29773f7c20cf7a6a4a632108d2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:36:02 -0500
Subject: [PATCH 216/220] Fix buffer over-reads in
 file_analysis::Manager::Terminate()

---
 src/file_analysis/Manager.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 393dadfdc7..3a7b799094 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -74,7 +74,8 @@ void Manager::Terminate()
 
 	while ( id_map.NextEntry(key, it) )
 		{
-		keys.push_back(static_cast<const char*>(key->Key()));
+		keys.push_back(string(static_cast<const char*>(key->Key()),
+		                      key->Size()));
 		delete key;
 		}
 

From 37b860d3252525d278943d83d46d874e55da39e3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 12:55:50 -0500
Subject: [PATCH 217/220] Fix new []/delete mismatch in
 input::reader::Raw::DoClose().

---
 src/input/readers/Raw.cc | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/input/readers/Raw.cc b/src/input/readers/Raw.cc
index 53469335a2..11976e2a11 100644
--- a/src/input/readers/Raw.cc
+++ b/src/input/readers/Raw.cc
@@ -67,12 +67,9 @@ void Raw::DoClose()
 	if ( file != 0 )
 		CloseInput();
 
-	if ( buf != 0 )
-		{
-		// we still have output that has not been flushed. Throw away.
-		delete buf;
-		buf = 0;
-		}
+	// Just throw away output that has not been flushed.
+	delete [] buf;
+	buf = 0;
 
 	if ( execute && childpid > 0 && kill(childpid, 0) == 0 )
 		{

From 6277be6e606334263f18f5d86489564a6ff84dc3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Tue, 6 May 2014 20:50:37 -0500
Subject: [PATCH 218/220] Fix memory leaks in X509 certificate
 parsing/verification.

---
 src/file_analysis/analyzer/x509/X509.cc       | 11 +++++++++++
 src/file_analysis/analyzer/x509/functions.bif | 18 +++++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index debe38deaa..6e0f37e9c9 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -153,6 +153,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
 			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
+
+		EVP_PKEY_free(pkey);
 		}
 
 
@@ -273,6 +275,7 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		vl->append(pBasicConstraint);
 
 		mgr.QueueEvent(x509_ext_basic_constraints, vl);
+		BASIC_CONSTRAINTS_free(constr);
 		}
 
 	else
@@ -387,6 +390,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 		vl->append(GetFile()->GetVal()->Ref());
 		vl->append(sanExt);
 		mgr.QueueEvent(x509_ext_subject_alternative_name, vl);
+	GENERAL_NAMES_free(altname);
 	}
 
 StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
@@ -442,13 +446,20 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 			return 0;
 
 		const EC_GROUP *group = EC_KEY_get0_group(key->pkey.ec);
+
 		if ( ! group )
+			{
 			// unknown ex-group
+			BN_free(ec_order);
 			return 0;
+			}
 
 		if ( ! EC_GROUP_get_order(group, ec_order, NULL) )
+			{
 			// could not get ec-group-order
+			BN_free(ec_order);
 			return 0;
+			}
 
 		unsigned int length = BN_num_bits(ec_order);
 		BN_free(ec_order);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 176df53bdb..5d9242026e 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -179,7 +179,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		X509* x = ((file_analysis::X509Val*) sv)->GetCertificate();
 		if ( ! x )
 			{
-			sk_X509_pop(untrusted_certs);
+			sk_X509_free(untrusted_certs);
 			builtin_error(fmt("No certificate in opaque in stack"));
 			return x509_error_record(-1, "No certificate in opaque");
 			}
@@ -203,6 +203,7 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		if ( ! chain )
 			{
 			reporter->Error("Encountered valid chain that could not be resolved");
+			sk_X509_pop_free(chain, X509_free);
 			goto x509_verify_chainerror;
 			}
 
@@ -212,22 +213,21 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 		for ( int i = 0; i < num_certs; i++ )
 			{
 			X509* currcert = sk_X509_value(chain, i);
-			if ( !currcert )
-				{
-				reporter->InternalError("OpenSSL returned null certificate");
-				goto x509_verify_chainerror;
-				}
 
-			chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			if ( currcert )
+				chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+			else
+				reporter->InternalWarning("OpenSSL returned null certificate");
 			}
+
+		sk_X509_free(chain);
 		}
 
 x509_verify_chainerror:
 
 	X509_STORE_CTX_cleanup(&csc);
 
-	if ( untrusted_certs )
-		sk_X509_pop(untrusted_certs);
+	sk_X509_free(untrusted_certs);
 
 	RecordVal* rrecord = new RecordVal(BifType::Record::X509::Result);
 

From 4ea8a4e8ef451f4599f173a14103d8e9e9ade5d6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 7 May 2014 10:45:00 -0500
Subject: [PATCH 219/220] Change handling of atypical OpenSSL error case in
 x509 verification.

---
 src/file_analysis/analyzer/x509/functions.bif | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 5d9242026e..1fa81a0fd0 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -215,9 +215,17 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 			X509* currcert = sk_X509_value(chain, i);
 
 			if ( currcert )
-				chainVector->Assign(i, new file_analysis::X509Val(currcert)); // X509Val takes ownership
+				// X509Val takes ownership of currcert.
+				chainVector->Assign(i, new file_analysis::X509Val(currcert));
 			else
+				{
 				reporter->InternalWarning("OpenSSL returned null certificate");
+
+				for ( int j = i + 1; i < num_certs; ++j )
+					X509_free(sk_X509_value(chain, j));
+
+				break;
+				}
 			}
 
 		sk_X509_free(chain);

From 37dd3312564346bc2110c41270174b2ccded71a8 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 8 May 2014 16:34:44 -0700
Subject: [PATCH 220/220] Updating submodule(s).

 [nomail]
---
 CHANGES     | 24 ++++++++++++------------
 VERSION     |  2 +-
 aux/bro-aux |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1d141ae3d5..68beb70ada 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,24 +1,24 @@
 
-2.2-424 | 2014-05-08 16:32:29 -0700
+2.2-425 | 2014-05-08 16:34:44 -0700
 
-  * Fixing compiler warnings. (Robin Sommer)
+  * Fix reassembly of data w/ sizes beyond 32-bit capacities. (Jon Siwek)
 
-  * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek)
-    
-  * Fix reassembly of data w/ sizes beyond 32-bit capacities The main
-    change is that reassembly code (e.g. for TCP) now uses
-    int64/uint64 (signedness is situational) data types in place of
-    int types in order to support delivering data to analyzers that
-    pass 2GB thresholds.  There's also changes in logic that accompany
-    the change in data types, e.g. to fix TCP sequence space
-    arithmetic inconsistencies.
+    Reassembly code (e.g. for TCP) now uses int64/uint64 (signedness
+    is situational) data types in place of int types in order to
+    support delivering data to analyzers that pass 2GB thresholds.
+    There's also changes in logic that accompany the change in data
+    types, e.g. to fix TCP sequence space arithmetic inconsistencies.
 
     Another significant change is in the Analyzer API: the *Packet and
     *Undelivered methods now use a uint64 in place of an int for the
     relative sequence space offset parameter.
 
-    Addresses BIT-348. (Jon Siwek)
+    Addresses BIT-348. 
 
+  * Fixing compiler warnings. (Robin Sommer)
+    
+  * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek)
+    
 2.2-417 | 2014-05-07 10:59:22 -0500
 
   * Change handling of atypical OpenSSL error case in x509 verification. (Jon Siwek)
diff --git a/VERSION b/VERSION
index c43adf607d..ce1d2d112b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.2-424
+2.2-425
diff --git a/aux/bro-aux b/aux/bro-aux
index 5c0043d587..6dfc648d22 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 5c0043d587314c57070e5362762e3e0f6408c2be
+Subproject commit 6dfc648d22d234d2ba4b1cb0fc74cda2eb023d1e