Merge remote branch 'origin/master' into topic/policy-scripts-new

Conflicts: policy/bro.init testing/btest/language/rare-events.bro
2025-10-04 15:48:19 +00:00 · 2011-06-25 23:49:20 -04:00 · 2011-06-25 23:49:20 -04:00 · c070cb31da
commit c070cb31da
parent 663b0eed7b ed8301a4df
28 changed files with 381 additions and 412 deletions
--- a/146
+++ b/146
@ -1,3 +1,149 @@
+1.6-dev.146 Sat Jun 25 18:12:27 PDT 2011
+
+- DNS mapping are now becoming invalid when an entry's TTL expires.
+  (Thomas Other)
+
+- Reworking how Bro tracks which scripts are already loaded. Rather
+  than paths, Bro now tracks inode numbers. (Jon Siwek)
+
+- New BiF netstats() to query packet capture statistics. The netstats
+  script now uses the new BiF to periocally report packets drops. The
+  net_stats_update() event and the heartbeat_interval global went
+  away. (Seth Hall)
+
+- Fixing bug with logging &optional records. Closes #476. (Robin
+  Sommer)
+
+- Fixing istate.events-ssl test failing because of expired cert. (Jon
+  Siwek)
+
+- A large number of improvements and fixes for Bro's doc mode. (Jon
+  Siwek)
+
+- Significant updates for RPC and NFS analyzers (Gregor Maier)
+
+    * Unify semantics for UDP and TCP connections.
+
+    * RPC can now log to a log file if desired.
+
+    * Portmapper can now log general activity to a log file and also log
+      actual port mappings.
+
+    * NFS analyzer now supports significantly more procedure calls as
+      as file name tracking and file content extraction.
+
+- NetBIOS fixes. (Jon Siwek)
+
+- A number of unit tests are more robust and portable.  (Jon Siwek)
+
+- A new BiF unique_id() that returns a string that's unique across Bro
+  instaces with high probablity.  (Robin Sommer)
+
+- Complete rewrite of the BinPAC SSL analyzer. (Seth Hall)
+
+    * DER certificates are extracted as strings to be used with
+      corresponding BiFs.
+
+    * x509_verify function to verify single certs and/or full
+      certificate chains.
+
+    * Removed hand written SSL analyzer.
+
+    * The ssl.bro script is just a place-holder for now. New version
+      will come with the other new scripts.
+
+- New syslog analyzer. (Seth Hall)
+
+- @load now supports loading a directory. With a directory "foo"
+  somewhere in BROPATH, "@load foo" now checks if there's a file
+  "foo/__load__.bro". If so, it reads that file in. (Robin Sommer)
+
+- ASCII logger now escapes non-printable characters. Closes #450.
+  (Robin Sommer)
+
+- Packaging tweaks and rewrite of 'dist' target. (Jon Siwek)
+
+- Changes to allow DEB packaging via CPack, addresses #458. (Jon
+  Siwek)
+
+- An extension to the ICMP analyzer to handle redirects. Julien
+  Sentier
+
+- Removing old istate test-suite. (Robin Sommer)
+
+- A hack to report missing GeoIP support only once. This closes #357,
+  but #455 captures the need for a more general solution. (Robin
+  Sommer)
+
+- Bugfix: vectors in records were not initalized. Closes #421. (Robin
+  Sommer)
+
+- If IPv6 default is not compiled in, the default BPF filters now
+  excludes IPv6 packets. (Robin Sommer)
+
+- New bif bro_has_ipv6() to check whether IPv6 support is compiled in.
+  (Robin Sommer)
+
+- Updating btests and a Makefile. "make" now runs all the tests.
+  (Robin Sommer)
+
+- Moving the test-scripts from the old test-suite over to btest.
+  (Robin Sommer)
+
+- Fix for major bug in POP3 analyzer, which didn't recognize '.'
+  terminators in multi-line replies if the terminator was bare (no
+  newline). This caused it to ignore the rest of the session that it's
+  analyzing. (Vern Paxson)
+    
+- Fix compiler warning with gcc-4.4.4 (Gregor Maier)
+  
+- Adding example documentation for a script's use of logging features.
+  (Jon Siwek)
+
+- Adding &log attribute to static attr_names array. (Jon Siwek)
+  
+- Bro can now track packet and byte counts per connection. (Gregor
+  Maier)
+
+    * If 'use_conn_size_analyzer' is true, the event engine tracks
+      number of packets and raw IP bytes per connection. If
+      report_conn_size_analyzer is true, these values are included as
+      four new columns into conn.log
+    
+    * I changed conn.bro so that the value of
+      report_conn_size_analyzer follows that of
+      use_conn_size_analyzer. For the new conn.log, we probably want
+      to get rid of report_conn_size_analyzer anyway.
+
+- Fixing numerous compiler warnings and portability issues. (All)
+
+- Switching vectors from being 1-based to 0-based. Note that this is a
+  change that break backwards-compatibility. (Robin Sommer)
+
+- Increasing serialization format version for the recent 64-bit
+  changes. (Robin Sommer)
+
+- Support for (mixed) MPLS and VLAN traffic, and a new default BPF
+  filter. (Seth Hall and Robin Sommer)
+    
+    - Merging in the patch from #264, which provides support for mixed
+      VLAN and MPLS traffic.
+    
+    - Changing Bro's default filter from being built dynamically to
+      being a static "ip or not ip". To get the old behaviour back
+      (i.e., the dynamically built filter), redef "all_packets" to
+      false.
+    
+    - print-filter.bro now always prints the filter that Bro is
+      actually using, even if overriden from the command line. (Robin
+      Sommer)
+
+- Changing the HTTP's analyzers internals to use 64-bit integers.
+  (Gregor Maier). 
+    
+- Fixing bug with deleting still unset record fields of table type.
+  (Robin Sommer)
+
 1.6-dev.99 Fri Apr 22 22:10:03 PDT 2011

 - Extending the connection record with a unique identifier. (Robin
--- a/2
+++ b/2
@ -1 +1 @@
-1.6-dev.99
+1.6-dev.146
--- a/aux/broccoli
+++ b/aux/broccoli
@ -1 +1 @@
-Subproject commit 8843da57dc8aee433550727dcbd1199824ca9da4
+Subproject commit 9866a00e78b088315e632960aaa230635bca326a
--- a/policy.old/netstats.bro
+++ b/policy.old/netstats.bro
@ -6,14 +6,11 @@ redef enum Notice += {
 	DroppedPackets,	# Bro reported packets dropped by the packet filter
 };

-global last_stat: net_stats;
-global last_stat_time: time;
-global have_stats = F;
+const stats_collection_interval = 10secs;

-event net_stats_update(t: time, ns: net_stats)
-	{
-	if ( have_stats )
+event net_stats_update(last_stat: NetStats)
 	{
+	local ns = net_stats();
 	local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
 	if ( new_dropped > 0 )
 		{
@ -25,10 +22,11 @@ event net_stats_update(t: time, ns: net_stats)
 				new_link != 0 ?
 					fmt(", %d on link", new_link) : "")]);
 		}
-		}
-	else
-		have_stats = T;
 	
-	last_stat = ns;
-	last_stat_time = t;
+	schedule stats_collection_interval { net_stats_update(ns) };
+	}
+
+event bro_init()
+	{
+	schedule stats_collection_interval { net_stats_update(net_stats()) };
 	}
--- a/policy.old/stats.bro
+++ b/policy.old/stats.bro
@ -15,58 +15,47 @@ redef notice_action_filters += {
 	[[ResourceStats, OfflineResourceStats]] = file_notice
 };

-global last_stats_time = current_time();
-global last_stats_CPU_time =
-	resource_usage()$user_time + resource_usage()$system_time;
-
-# Global to store the last net_stats object received.
-global last_packet_stat: net_stats;
-
-# Globals to store the results between reporting intervals
-global stat_packets_received = 0;
-global stat_packets_dropped = 0;
-global stat_packets_link = 0;
-
-global last_packets_processed = 0;
-global last_events_dispatched = 0;
-global last_events_queued = 0;
-
 # Interval in which the results are sent as a notice.  If this is less
 # than heartbeat_interval, then it is set to heartbeat_interval, since
 # some of the reported statistics are only gathered via the heartbeat.
 global stats_report_interval = 10 sec &redef;

-event check_stats()
+event check_stats(last_time: time, last_ns: NetStats, last_res: bro_resources)
 	{
 	local now = current_time();
 	local lag = now - network_time();
-	local report_delta = now - last_stats_time;
+	local report_delta = now - last_time;

 	local res = resource_usage();
-	local mem = res$mem;
+	local ns = net_stats();
+
 	local total_CPU_time = res$user_time + res$system_time;
-	local CPU_util = (total_CPU_time - last_stats_CPU_time) / report_delta;
+	local last_CPU_time = last_res$user_time + last_res$system_time;
+	local CPU_util = ((total_CPU_time - last_CPU_time) / report_delta) * 100.0;
+
+	local pkts_recvd    = ns$pkts_recvd   - last_ns$pkts_recvd;
+	local pkts_dropped  = ns$pkts_dropped - last_ns$pkts_dropped;
+	local pkts_link     = ns$pkts_link    - last_ns$pkts_link;

 	if ( bro_is_terminating() )
 		# No more stats will be written or scheduled when Bro is
 		# shutting down.
 		return;

-	local delta_pkts_processed = res$num_packets - last_packets_processed;
-	local delta_events = res$num_events_dispatched - last_events_dispatched;
-	local delta_queued = res$num_events_queued - last_events_queued;
+	local delta_pkts_processed = res$num_packets - last_res$num_packets;
+	local delta_events = res$num_events_dispatched - last_res$num_events_dispatched;
+	local delta_queued = res$num_events_queued - last_res$num_events_queued;

 	local stat_msg =
 		fmt("mem=%dMB pkts_proc=%d events_proc=%d events_queued=%d",
-			mem / 1000000, delta_pkts_processed,
+			res$mem / 1000000, delta_pkts_processed,
 			delta_events, delta_queued);

 	if ( reading_live_traffic() )
 		{
 		stat_msg = fmt("%s et=%.2f lag=%fsec util=%.01f%% pkts_rcv=%d pkts_drp=%d pkts_link=%d",
-				stat_msg, report_delta, lag, CPU_util * 100.0,
-				stat_packets_received, stat_packets_dropped,
-				stat_packets_link);
+				stat_msg, report_delta, lag, CPU_util,
+				pkts_recvd, pkts_dropped, pkts_link);
 		NOTICE([$note=ResourceStats, $msg=stat_msg]);
 		}

@ -77,57 +66,15 @@ event check_stats()
 		{
 		# Remote communication only.
 		stat_msg = fmt("mem=%dMB events_proc=%d events_queued=%d lag=%fsec util=%.01f%%",
-				mem / 1000000, delta_events, delta_queued,
-				lag, CPU_util * 100.0 );
+				res$mem / 1000000, delta_events, delta_queued,
+				lag, CPU_util);
 		NOTICE([$note=ResourceStats, $msg=stat_msg]);
 		}

-	last_stats_time = now;
-	last_stats_CPU_time = total_CPU_time;
-	last_packets_processed = res$num_packets;
-	last_events_dispatched = res$num_events_dispatched;
-	last_events_queued = res$num_events_queued;
-
-	stat_packets_received = 0;
-	stat_packets_dropped = 0;
-
-	schedule stats_report_interval { check_stats() };
-	}
-
-event net_stats_update(t: time, ns: net_stats)
-	{
-	if ( ns$pkts_recvd > last_packet_stat$pkts_recvd )
-		stat_packets_received +=
-			ns$pkts_recvd - last_packet_stat$pkts_recvd;
-
-	if ( ns$pkts_dropped > last_packet_stat$pkts_dropped )
-		stat_packets_dropped +=
-			ns$pkts_dropped - last_packet_stat$pkts_dropped;
-
-	if ( ns$pkts_link > last_packet_stat$pkts_link )
-		stat_packets_link += ns$pkts_link - last_packet_stat$pkts_link;
-
-	last_packet_stat = ns;
-	}
-
-event start_check_stats()
-	{
-	# Can't start reporting data until network_time() is up.
-	local zero_time: time = 0;
-
-	if ( network_time() > zero_time )
-		schedule stats_report_interval { check_stats() };
-	else
-		schedule stats_report_interval { start_check_stats() };
+	schedule stats_report_interval { check_stats(now, ns, res) };
 	}

 event bro_init()
 	{
-	last_packet_stat$pkts_recvd = last_packet_stat$pkts_dropped =
-		last_packet_stat$pkts_link = 0;
-
-	if ( stats_report_interval < heartbeat_interval )
-		stats_report_interval = heartbeat_interval;
-
-	schedule stats_report_interval { start_check_stats() };
+	schedule stats_report_interval { check_stats(current_time(), net_stats(), resource_usage()) };
 	}
--- a/policy/bro.init
+++ b/policy/bro.init
@ -105,6 +105,14 @@ type SYN_packet: record {
 	SACK_OK: bool;
 };

+## This record is used for grabbing packet capturing information from
+## the core with the :bro:id:`net_stats` BiF.  All counts are cumulative.
+type NetStats: record {
+	pkts_recvd:   count &default=0; ##< Packets received by Bro.
+	pkts_dropped: count &default=0; ##< Packets dropped.
+	pkts_link:    count &default=0; ##< Packets seen on the link (not always available).
+};
+
 type bro_resources: record {
 	version: string;        # Bro version string
 	debug: bool;            # true if compiled with --enable-debug
@ -610,20 +618,8 @@ global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
 global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
 # End of definition of access to packet headers, discarders.

-
-type net_stats: record {
-	# All counts are cumulative.
-	pkts_recvd: count;	# pkts received by Bro
-	pkts_dropped: count;	# pkts dropped
-	pkts_link: count;	# pkts seen on link (not always available)
-};
-
-
 const watchdog_interval = 10 sec &redef;

-## This interval defines how often the net_stats_update event is generated.
-const heartbeat_interval = 10 sec &redef;
-
 # The maximum number of timers to expire after processing each new
 # packet.  The value trades off spreading out the timer expiration load
 # with possibly having to hold state longer.  A value of 0 means
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -63,6 +63,7 @@ public:
 protected:
 	char* host;	// if non-nil, this is a host request
 	uint32 addr;
+	uint32 ttl;
 	int request_pending;
 };

@ -82,8 +83,8 @@ int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)

 class DNS_Mapping {
 public:
-	DNS_Mapping(const char* host, struct hostent* h);
-	DNS_Mapping(uint32 addr, struct hostent* h);
+	DNS_Mapping(const char* host, struct hostent* h, uint32 ttl);
+	DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl);
 	DNS_Mapping(FILE* f);

 	int NoMapping() const		{ return no_mapping; }
@ -108,6 +109,9 @@ public:
 	int Failed() const		{ return failed; }
 	int Valid() const		{ return ! failed; }

+	bool Expired() const
+		{ return current_time() > (creation_time + req_ttl); }
+
 protected:
 	friend class DNS_Mgr;

@ -119,6 +123,7 @@ protected:

 	char* req_host;
 	uint32 req_addr;
+	uint32 req_ttl;

 	int num_names;
 	char** names;
@ -146,21 +151,23 @@ static TableVal* empty_addr_set()
 	return new TableVal(s);
 	}

-DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h)
+DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h, uint32 ttl)
 	{
 	Init(h);
 	req_host = copy_string(host);
 	req_addr = 0;
+	req_ttl = ttl;

 	if ( names && ! names[0] )
 		names[0] = copy_string(host);
 	}

-DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h)
+DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h, uint32 ttl)
 	{
 	Init(h);
 	req_addr = addr;
 	req_host = 0;
+	req_ttl = ttl;
 	}

 DNS_Mapping::DNS_Mapping(FILE* f)
@ -663,6 +670,7 @@ Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
 void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
 	{
 	struct hostent* h = (r && r->host_errno == 0) ? r->hostent : 0;
+	u_int32_t ttl = r->ttl;

 	DNS_Mapping* new_dm;
 	DNS_Mapping* prev_dm;
@ -670,7 +678,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)

 	if ( dr->ReqHost() )
 		{
-		new_dm = new DNS_Mapping(dr->ReqHost(), h);
+		new_dm = new DNS_Mapping(dr->ReqHost(), h, ttl);
 		prev_dm = host_mappings.Insert(dr->ReqHost(), new_dm);

 		if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
@ -683,7 +691,7 @@ void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
 		}
 	else
 		{
-		new_dm = new DNS_Mapping(dr->ReqAddr(), h);
+		new_dm = new DNS_Mapping(dr->ReqAddr(), h, ttl);
 		uint32 tmp_addr = dr->ReqAddr();
 		HashKey k(&tmp_addr, 1);
 		prev_dm = addr_mappings.Insert(&k, new_dm);
@ -833,9 +841,16 @@ const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
 	{
 	HashKey h(&addr, 1);
 	DNS_Mapping* d = dns_mgr->addr_mappings.Lookup(&h);
+
 	if ( ! d )
 		return 0;

+	if ( d->Expired() )
+		{
+		dns_mgr->addr_mappings.Remove(&h);
+		return 0;
+		}
+
 	// The escapes in the following strings are to avoid having it
 	// interpreted as a trigraph sequence.
 	return d->names ? d->names[0] : "<\?\?\?>";
@ -844,9 +859,17 @@ const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
 TableVal* DNS_Mgr::LookupNameInCache(string name)
 	{
 	DNS_Mapping* d = dns_mgr->host_mappings.Lookup(name.c_str());
+
 	if ( ! d || ! d->names )
 		return 0;

+	if ( d->Expired() )
+		{
+		HashKey h(name.c_str());
+		dns_mgr->host_mappings.Remove(&h);
+		return 0;
+		}
+
 	return d->AddrsSet();
 	}

--- a/src/Func.cc
+++ b/src/Func.cc
@ -519,6 +519,7 @@ void init_builtin_funcs()
 	{
 	ftp_port = internal_type("ftp_port")->AsRecordType();
 	bro_resources = internal_type("bro_resources")->AsRecordType();
+	net_stats = internal_type("NetStats")->AsRecordType();
 	matcher_stats = internal_type("matcher_stats")->AsRecordType();
 	var_sizes = internal_type("var_sizes")->AsTableType();
 	gap_info = internal_type("gap_info")->AsRecordType();
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -20,10 +20,7 @@ EnumType* transport_proto;
 TableType* string_set;
 TableType* count_set;

-RecordType* net_stats;
-
 int watchdog_interval;
-double heartbeat_interval;

 int max_timer_expires;
 int max_remote_events_processed;
@ -404,10 +401,7 @@ void init_net_var()
 	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
 	rpc_timeout = opt_internal_double("rpc_timeout");

-	net_stats = internal_type("net_stats")->AsRecordType();
-
 	watchdog_interval = int(opt_internal_double("watchdog_interval"));
-	heartbeat_interval = opt_internal_double("heartbeat_interval");

 	max_timer_expires = opt_internal_int("max_timer_expires");
 	max_remote_events_processed =
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -23,10 +23,7 @@ extern EnumType* transport_proto;
 extern TableType* string_set;
 extern TableType* count_set;

-extern RecordType* net_stats;
-
 extern int watchdog_interval;
-extern double heartbeat_interval;

 extern int max_timer_expires;
 extern int max_remote_events_processed;
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -43,27 +43,6 @@ enum NetBIOS_Service {

 NetSessions* sessions;

-
-class NetworkTimer : public Timer {
-public:
-	NetworkTimer(NetSessions* arg_sess, double arg_t)
-		: Timer(arg_t, TIMER_NETWORK)
-		{ sess = arg_sess; }
-
-	void Dispatch(double t, int is_expire);
-
-protected:
-	NetSessions* sess;
-};
-
-void NetworkTimer::Dispatch(double t, int is_expire)
-	{
-	if ( is_expire )
-		return;
-
-	sess->HeartBeat(t);
-	}
-
 void TimerMgrExpireTimer::Dispatch(double t, int is_expire)
 	{
 	if ( mgr->LastAdvance() + timer_mgr_inactivity_timeout < timer_mgr->Time() )
@ -105,9 +84,6 @@ NetSessions::NetSessions()
 	udp_conns.SetDeleteFunc(bro_obj_delete_func);
 	fragments.SetDeleteFunc(bro_obj_delete_func);

-	if ( (reading_live || pseudo_realtime) && net_stats_update )
-		timer_mgr->Add(new NetworkTimer(this, 1.0));
-
 	if ( stp_correlate_pair )
 		stp_manager = new SteppingStoneManager();
 	else
@ -1049,39 +1025,6 @@ void NetSessions::Drain()
 	ExpireTimerMgrs();
 	}

-void NetSessions::HeartBeat(double t)
-	{
-	unsigned int recv = 0;
-	unsigned int drop = 0;
-	unsigned int link = 0;
-
-	loop_over_list(pkt_srcs, i)
-		{
-		PktSrc* ps = pkt_srcs[i];
-
-		struct PktSrc::Stats stat;
-		ps->Statistics(&stat);
-		recv += stat.received;
-		drop += stat.dropped;
-		link += stat.link;
-		}
-
-	val_list* vl = new val_list;
-
-	vl->append(new Val(t, TYPE_TIME));
-
-	RecordVal* ns = new RecordVal(net_stats);
-	ns->Assign(0, new Val(recv, TYPE_COUNT));
-	ns->Assign(1, new Val(drop, TYPE_COUNT));
-	ns->Assign(2, new Val(link, TYPE_COUNT));
-
-	vl->append(ns);
-
-	mgr.QueueEvent(net_stats_update, vl);
-
-	timer_mgr->Add(new NetworkTimer(this, t + heartbeat_interval));
-	}
-
 void NetSessions::GetStats(SessionStats& s) const
 	{
 	s.num_TCP_conns = tcp_conns.Length();
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -105,9 +105,6 @@ public:
 	// that are still active.
 	void Drain();

-	// Called periodically to generate statistics reports.
-	void HeartBeat(double t);
-
 	void GetStats(SessionStats& s) const;

 	void Weird(const char* name,
--- a/src/bro.bif
+++ b/src/bro.bif
@ -14,6 +14,7 @@
 using namespace std;

 RecordType* ftp_port;
+RecordType* net_stats;
 RecordType* bro_resources;
 RecordType* matcher_stats;
 TableType* var_sizes;
@ -1471,6 +1472,31 @@ function bytestring_to_hexstr%(bytestring: string%): string
 extern const char* bro_version();
 %%}

+function net_stats%(%): NetStats
+	%{
+	unsigned int recv = 0;
+	unsigned int drop = 0;
+	unsigned int link = 0;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		PktSrc* ps = pkt_srcs[i];
+
+		struct PktSrc::Stats stat;
+		ps->Statistics(&stat);
+		recv += stat.received;
+		drop += stat.dropped;
+		link += stat.link;
+		}
+
+	RecordVal* ns = new RecordVal(net_stats);
+	ns->Assign(0, new Val(recv, TYPE_COUNT));
+	ns->Assign(1, new Val(drop, TYPE_COUNT));
+	ns->Assign(2, new Val(link, TYPE_COUNT));
+
+	return ns;
+	%}
+
 function resource_usage%(%): bro_resources
 	%{
 	struct rusage r;
--- a/src/event.bif
+++ b/src/event.bif
@ -50,7 +50,6 @@ event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, pa
 event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
 event icmp_redirect%(c: connection, icmp: icmp_conn, a: addr%);
-event net_stats_update%(t: time, ns: net_stats%);
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 event conn_weird%(name: string, c: connection%);
 event conn_weird_addl%(name: string, c: connection, addl: string%);
--- a/src/main.cc
+++ b/src/main.cc
@ -886,7 +886,8 @@ int main(int argc, char** argv)
 			UnserialInfo info(&s);
 			info.print = stdout;
 			info.install_uniques = true;
-			s.Read(&info, bst_file);
+			if ( ! s.Read(&info, bst_file) )
+				error("Failed to read events from %s\n", bst_file);
 			}

 		exit(0);
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@ -438,6 +438,7 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
 	register char **ap, **hap;
 	register u_int16_t id;
 	register const u_char *rdata;
+	register u_int32_t rttl;
 	register struct hostent *he;
 	register size_t rdlen;
 	ns_msg handle;
@ -557,6 +558,7 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)

 		rdata = ns_rr_rdata(rr);
 		rdlen = ns_rr_rdlen(rr);
+		rttl = ns_rr_ttl(rr);
 		switch (atype) {

 		case T_A:
@ -603,10 +605,12 @@ nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)

 			/* "Find first satisfactory answer" */
 			nr->hostent = he;
+			nr->ttl = rttl;
 			return (1);
 		}
 	}

 	nr->hostent = he;
+	nr->ttl = rttl;
 	return (1);
 }
--- a/src/nb_dns.h
+++ b/src/nb_dns.h
@ -11,6 +11,7 @@ struct nb_dns_result {
 	void *cookie;
 	int host_errno;
 	struct hostent *hostent;
+	uint32_t ttl;
 };

 typedef unsigned int nb_uint32_t;
--- a/src/scan.l
+++ b/src/scan.l
@ -8,6 +8,7 @@
 #include <list>
 #include <string>
 #include <algorithm>
+#include <sys/stat.h>

 #include "input.h"
 #include "util.h"
@ -54,8 +55,9 @@ char last_tok[128];
 	if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \
 		error(fmt("read failed with \"%s\"", strerror(errno)));

-// Files we have already scanned (or are in the process of scanning).
-static PList(char) files_scanned;
+// Files we have already scanned (or are in the process of scanning). They
+// are tracked by inode number. 
+static std::list<ino_t> files_scanned;

 // reST documents that we've created (or have at least opened so far).
 std::list<BroDoc*> docs_generated;
@ -84,6 +86,19 @@ static const char* canon_doc_comment(const char* comment)
 	return ( comment[0] == ' ' ) ? comment + 1 : comment;
 	}

+static ino_t get_inode_num(FILE* f, const char* filename)
+	{
+	struct stat b;
+
+	if ( fstat(fileno(f), &b) )
+		{
+		error("failed to fstat fd of %s\n", filename);
+		exit(1);
+		}
+
+	return b.st_ino;
+	}
+
 class FileInfo {
 public:
 	FileInfo(string restore_module = "");
@ -332,7 +347,18 @@ when	return TOK_WHEN;
 	const char* new_file = skip_whitespace(yytext + 7);

 	// All we have to do is pretend we've already scanned it.
-	files_scanned.append(copy_string(new_file));
+	const char* full_filename;
+	FILE* f = search_for_file(new_file, "bro", &full_filename, true);
+
+	if ( f )
+		{
+		ino_t i = get_inode_num(f, full_filename);
+		fclose(f);
+		delete [] full_filename;
+		files_scanned.push_back(i);
+		}
+	else
+		error("failed find file associated with @unload %s", new_file);
 	}

@prefixes{WS}("+"?)={WS}{PREFIX}	{
@ -499,33 +525,10 @@ YYLTYPE GetCurrentLocation()

 static int load_files_with_prefix(const char* orig_file)
 	{
-	loop_over_list(files_scanned, j)
-		{
-		if ( streq(files_scanned[j], orig_file) )
-			return 0;
-		}
-
-	// Be sure to copy "orig_file", since it could be an alias
-	// for yytext, which is ephemeral and will be zapped
-	// if we do a yy_switch_to_buffer() below.
-	char* file = copy_string(orig_file);
-
 	// Whether we pushed on a FileInfo that will restore the
 	// current module after the final file has been scanned. 
 	bool did_module_restore = false;

-	files_scanned.append(file);
-
-	// If the file has a .bro extension, add a second version to the list
-	// of known files which has it stripped.
-	char* ext = strrchr(file, '.');
-	if ( ext && streq(ext, ".bro") )
-		{
-		char* s = copy_string(file);
-		s[ext - file] = '\0';
-		files_scanned.append(s);
-		}
-
 	// Note, we need to loop through the prefixes backwards, since
 	// we push them onto a stack, with the last one we push on the
 	// stack being the first one we will scan.
@ -536,7 +539,7 @@ static int load_files_with_prefix(const char* orig_file)
 		const char* full_filename = "<internal error>";
 		FILE* f;

-		if ( streq(file, "-") )
+		if ( streq(orig_file, "-") )
 			{
 			f = stdin;
 			full_filename = "<stdin>";
@ -550,13 +553,13 @@ static int load_files_with_prefix(const char* orig_file)

 		else
 			{
-			int n = strlen(prefix) + strlen(file) + 2;
+			int n = strlen(prefix) + strlen(orig_file) + 2;
 			char* new_filename = new char[n];

 			if ( prefix[0] )
-				sprintf(new_filename, "%s.%s", prefix, file);
+				sprintf(new_filename, "%s.%s", prefix, orig_file);
 			else
-				strcpy(new_filename, file);
+				strcpy(new_filename, orig_file);

 			f = search_for_file(new_filename, "bro", &full_filename, true);
 			delete [] new_filename;
@ -564,6 +567,21 @@ static int load_files_with_prefix(const char* orig_file)

 		if ( f )
 			{
+			ino_t i = get_inode_num(f, full_filename);
+			std::list<ino_t>::const_iterator it;
+
+			for ( it = files_scanned.begin(); it != files_scanned.end(); ++it )
+				{
+				if ( *it == i )
+					{
+					fclose(f);
+					delete [] full_filename;
+					return 0;
+					}
+				}
+
+			files_scanned.push_back(i);
+
 			if ( g_policy_debug )
 				{
 				// Add the filename to the file mapping
--- a/testing/btest/Baseline/core.conn-id/output.cc
+++ b/testing/btest/Baseline/core.conn-id/output.cc
@ -1,80 +0,0 @@
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
--- a/testing/btest/Baseline/core.conn-uid/counts
+++ b/testing/btest/Baseline/core.conn-uid/counts
--- a/testing/btest/Baseline/core.conn-uid/output
+++ b/testing/btest/Baseline/core.conn-uid/output
@ -0,0 +1,39 @@
+[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
--- a/testing/btest/Baseline/core.conn-uid/output.cc
+++ b/testing/btest/Baseline/core.conn-uid/output.cc
@ -1,78 +1,40 @@
 [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
 [orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
 [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
 [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
 [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
 [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
 [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
 [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
 [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
 [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
 [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
 [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
 [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
 [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
 [orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
 [orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
 [orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
 [orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
 [orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
 [orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
 [orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
--- a/testing/btest/Baseline/core.conn-uid/output.cc2
+++ b/testing/btest/Baseline/core.conn-uid/output.cc2
@ -1,78 +1,39 @@
 [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
 [orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
 [orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
 [orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
 [orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
 [orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
 [orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
 [orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
 [orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
 [orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
 [orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
 [orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
 [orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
 [orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
 [orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
 [orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
 [orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
 [orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
 [orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
 [orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
 [orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
 [orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
 [orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
 [orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
 [orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
 [orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
--- a/testing/btest/Baseline/core.load-unload/output
+++ b/testing/btest/Baseline/core.load-unload/output
@ -0,0 +1,12 @@
+loading /Users/jsiwek/tmp/bro/policy/bro.init
+   loading /Users/jsiwek/tmp/bro/build/src/const.bif.bro
+   loading /Users/jsiwek/tmp/bro/build/src/types.bif.bro
+   loading /Users/jsiwek/tmp/bro/build/src/strings.bif.bro
+   loading /Users/jsiwek/tmp/bro/build/src/bro.bif.bro
+   loading /Users/jsiwek/tmp/bro/policy/logging.bro
+      loading /Users/jsiwek/tmp/bro/build/src/logging.bif.bro
+   loading /Users/jsiwek/tmp/bro/policy/logging-ascii.bro
+   loading /Users/jsiwek/tmp/bro/build/src/event.bif.bro
+   loading /Users/jsiwek/tmp/bro/policy/pcap.bro
+   loading /Users/jsiwek/tmp/bro/policy/server-ports.bro
+loading /Users/jsiwek/tmp/bro/testing/btest/.tmp/core.load-unload/load-unload.bro
--- a/testing/btest/core/conn-uid.bro
+++ b/testing/btest/core/conn-uid.bro
--- a/testing/btest/core/load-normalization.bro
+++ b/testing/btest/core/load-normalization.bro
@ -0,0 +1,14 @@
+# This tests bro's mechanism to prevent duplicate script loading.
+#
+# @TEST-EXEC: mkdir -p foo/bar
+# @TEST-EXEC: echo "@load bar/test" >loader.bro
+# @TEST-EXEC: cp %INPUT foo/bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -l loader bar/test
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -l loader bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -l loader foo/bar/test
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -l loader foo/bar/test.bro
+# @TEST-EXEC: BROPATH=$BROPATH:.:./foo bro -l loader `pwd`/foo/bar/test.bro
+
+type Test: enum {
+    TEST,
+};
--- a/testing/btest/core/load-unload.bro
+++ b/testing/btest/core/load-unload.bro
@ -0,0 +1,7 @@
+# This tests the @unload directive
+#
+# @TEST-EXEC: echo 'print "oops";' >dontloadmebro.bro
+# @TEST-EXEC: bro -l %INPUT dontloadmebro >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+@unload dontloadmebro
--- a/testing/btest/language/rare-events.bro
+++ b/testing/btest/language/rare-events.bro
@ -1,37 +0,0 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff notice.log
-
-# This is a test script whose job is to generate rarely-seen events
-# (i.e., events that test traces might not include) to ensure that they're
-# handled properly.
-
-# This is needed or else the output fails on the warning that
-# Drop::restore_dropped_address is never defined.
-redef check_for_unused_event_handlers = F;
-
-@load packet-filter/netstats
-
-function test_net_stats_update()
-    {
-    local t = current_time();
-
-    local s: net_stats;
-    s$pkts_recvd = 1234;
-    s$pkts_dropped = 123;
-    s$pkts_link = 9999;
-
-    event net_stats_update(t, s);
-
-    local s2: net_stats;
-    s2$pkts_recvd = 2341;
-    s2$pkts_dropped = 125;
-    s2$pkts_link = 19999;
-
-    event net_stats_update(t + 33 sec, s2);
-    }
-
-event bro_init()
-    {
-    test_net_stats_update();
-    }
-