diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index bd27f4fb85..54d181e43e 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -13,104 +13,3 @@ event socks_request(c: connection, request_type: count, dstaddr: addr, dstname:
 	{
 	Tunnel::register([$cid=c$id, $tunnel_type=Tunnel::SOCKS, $uid=c$uid]);
 	}
-
-#
-#global output = open_log_file("socks");
-#
-#type socks_conn: record {
-#	id: conn_id;
-#	t: time;
-#	req: socks_request_type &optional;
-#	dstaddr: addr &optional;
-#	dstname: string &optional;
-#	p: port &optional;
-#	user: string &optional;
-#	service: string &optional;
-#	variant: string &default = "SOCKS v4";
-#	granted: string &default = "no-reply";
-#};
-#
-#
-#global conns: table[conn_id] of socks_conn;
-#global proxies: set[addr] &read_expire = 24hrs;
-#
-#event socks_request(c: connection, t: socks_request_type, dstaddr: addr, dstname: string, p: port, user: string)
-#	{
-#	local id = c$id;
-#
-#	local sc: socks_conn;
-#	sc$id = id;
-#	sc$t = c$start_time;
-#	sc$req = t;
-#	
-#	if ( dstaddr != 0.0.0.0 )
-#		sc$dstaddr = dstaddr;
-#	
-#	if ( dstname != "" )
-#		sc$dstname = dstname;
-#	
-#	if ( p != 0/tcp )
-#		sc$p = p;
-#	
-#	if ( user != "" )
-#		sc$user = user;
-#	
-#	conns[id] = sc;
-#	}
-#
-#event socks_reply(c: connection, granted: bool, dst: addr, p: port)
-#	{
-#	local id = c$id;
-#	local sc: socks_conn;
-#	
-#	if ( id in conns )
-#		sc = conns[id];
-#	else
-#		{
-#		sc$id = id;
-#		sc$t = c$start_time;
-#		conns[id] = sc;
-#		}
-#
-#	sc$granted = granted ? "ok" : "denied";
-#	
-#	local proxy = c$id$resp_h;
-#	
-#	if ( proxy !in proxies )
-#		{
-#		NOTICE([$note=SOCKSProxy, $src=proxy, $sub=sc$variant,
-#				   $msg=fmt("SOCKS proxy seen at %s (%s)", proxy, sc$variant)]);
-#		add proxies[proxy];
-#		}
-#	}
-#
-#function print_conn(sc: socks_conn)
-#	{
-#	local req = "<unknown-type>";
-#	if ( sc?$req )
-#		{
-#		if ( sc$req == SOCKS_CONNECTION )
-#			req = "relay-to";
-#		if ( sc$req == SOCKS_PORT )
-#			req = "bind-port";
-#		}
-#	
-#	local p = sc?$p ? fmt("%s", sc$p) : "<no-port>";
-#	
-#	local dest = sc?$dstaddr 
-#		? (fmt("%s:%s%s", sc$dstaddr, p, (sc?$dstname ? fmt(" (%s)", sc$dstname) : "")))
-#		: (sc?$dstname ? fmt("%s:%s", sc$dstname, p) : "<no-dest>");
-#	local user = sc?$user ? fmt(" (user %s)", sc?$user) : "";
-#	
-#	local service = sc?$service ? fmt(" [%s]", sc$service) : "";
-#	
-#	print output, fmt("%.6f %s %s %s %s-> %s%s", sc$t, id_string(sc$id), req, 
-#			dest, user, sc$granted, service);
-#	}
-#
-#event connection_state_remove(c: connection)
-#	{
-#	if ( c$id in conns )
-#		print_conn(conns[c$id]);
-#	}
-#
diff --git a/testing/btest/Baseline/core.tunnels.socks/conn.log b/testing/btest/Baseline/core.tunnels.socks/conn.log
new file mode 100644
index 0000000000..9d5ae8efb1
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/conn.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1208299429.265243	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	tcp	http,socks	0.008138	152	3950	SF	-	0	ShAaDdfF	9	632	9	4430	(empty)
diff --git a/testing/btest/Baseline/core.tunnels.socks/http.log b/testing/btest/Baseline/core.tunnels.socks/http.log
new file mode 100644
index 0000000000..2dcab3f254
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/http.log
@@ -0,0 +1,8 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1208299429.270361	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	1	GET	www.icir.org	/	-	curl/7.16.3 (powerpc-apple-darwin9.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3	0	3677	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
diff --git a/testing/btest/Baseline/core.tunnels.socks/output b/testing/btest/Baseline/core.tunnels.socks/output
new file mode 100644
index 0000000000..8bf984a58a
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/output
@@ -0,0 +1,11 @@
+[id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=177, flow_label=0], resp=[size=8, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0], start_time=1208299429.265243, duration=0.002565, service={
+SOCKS
+}, addl=, hot=0, history=ShAaDd, uid=UWkUyAuUGXf, tunnel=[], dpd=<uninitialized>, conn=[ts=1208299429.265243, uid=UWkUyAuUGXf, id=[orig_h=127.0.0.1, orig_p=62270/tcp, resp_h=127.0.0.1, resp_p=1080/tcp], proto=tcp, service=<uninitialized>, duration=<uninitialized>, orig_bytes=<uninitialized>, resp_bytes=<uninitialized>, conn_state=<uninitialized>, local_orig=<uninitialized>, missed_bytes=0, history=<uninitialized>, orig_pkts=<uninitialized>, orig_ip_bytes=<uninitialized>, resp_pkts=<uninitialized>, resp_ip_bytes=<uninitialized>, parents={
+
+}], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>, ssl=<uninitialized>, syslog=<uninitialized>]
+---
+1
+192.150.187.12
+
+80/tcp
+
diff --git a/testing/btest/Baseline/core.tunnels.socks/tunnel.log b/testing/btest/Baseline/core.tunnels.socks/tunnel.log
new file mode 100644
index 0000000000..9ccbe8af26
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.socks/tunnel.log
@@ -0,0 +1,9 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	action	tunnel_type
+#types	time	string	addr	port	addr	port	enum	enum
+1208299429.267808	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::DISCOVER	Tunnel::SOCKS
+1208299429.273401	UWkUyAuUGXf	127.0.0.1	62270	127.0.0.1	1080	Tunnel::CLOSE	Tunnel::SOCKS
diff --git a/testing/btest/Traces/tunnels/socks.pcap b/testing/btest/Traces/tunnels/socks.pcap
new file mode 100644
index 0000000000..d70e2cb7dc
Binary files /dev/null and b/testing/btest/Traces/tunnels/socks.pcap differ
diff --git a/testing/btest/core/tunnels/socks.bro b/testing/btest/core/tunnels/socks.bro
new file mode 100644
index 0000000000..8ab288c9bd
--- /dev/null
+++ b/testing/btest/core/tunnels/socks.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -Cr $TRACES/tunnels/socks.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff http.log
+
+event socks_request(c: connection, request_type: count, dstaddr: addr,
+		    dstname: string, p: port, user: string)
+	{
+	print c;
+	print "---";
+	print request_type;
+	print dstaddr;
+	print dstname;
+	print p;
+	print user;
+	}
+
+