diff --git a/CHANGES b/CHANGES
index 2d528beefb..4b195ba16f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,38 @@
 
+2.0-139 | 2012-03-02 09:33:04 -0800
+
+  * Changes to how script coverage integrates with test suites. (Jon Siwek)
+
+    - BRO_PROFILER_FILE now passes .X* templated filenames to mkstemp
+      for generating unique coverage state files.
+
+    - Rearranging Makefile targets.  The general rule is that if the
+      all/brief target fails out due to a test failure, then the dependent
+      coverage target won't run, but can still be invoked directly later.
+      (e.g. make brief || make coverage) 
+
+  * Standardized on the &default function for SSL constants. (Seth
+    Hall)
+
+  * Adding btest group "leaks" to leak tests. (Robin Sommer)
+    
+  * Adding btest group "comm" to communication tests for parallelizing
+    execution with new btest version. (Robin Sommer)
+
+  * Sorting all output for diffing in the external tests. (Robin
+    Sommer)
+
+  * Cleaned up dead code from the old SSL analyzers. Reported by
+    Julien Sentier. (Seth Hall)
+
+  * Update/add tests for broccoli IPv6 addr/subnet support. Addresses
+    #448. (Jon Siwek)
+
+  * Remove connection compressor. Addresses #559. (Jon Siwek)
+    
+  * Refactor IP_Hdr class ctors. Addresses #532. (Jon Siwek)
+    
+
 2.0-121 | 2012-02-24 16:34:17 -0800
 
   * A number of smaller memory fixes and code cleanups. (Julien
diff --git a/NEWS b/NEWS
index 045ba62a7a..2cddbeb980 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ Bro 2.1
   such that at the scripting layer, the name resolution can yield a
   set with both IPv4 and IPv6 addresses.
 
+- The connection compressor was already deprecated in 2.0 and has now
+  been removed from the code base.
+
 TODO: Extend.
 
 Bro 2.0
diff --git a/VERSION b/VERSION
index 2027efd988..fec9e62430 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.0-121
+2.0-139
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 0fd3120c34..2b8f278934 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -1719,13 +1719,6 @@ global dns_skip_all_addl = T &redef;
 ## traffic and do not process it.  Set to 0 to turn off this functionality. 
 global dns_max_queries = 5;
 
-## The maxiumum size in bytes for an SSL cipher specifcation.  If we see a packet
-## that has bigger cipherspecs, we won't do a comparisons of cipherspecs.
-const ssl_max_cipherspec_size = 68 &redef;
-
-# todo::Is this still used?
-# type X509_extensions: table[count] of string;
-
 ## An X509 certificate.
 ##
 ## .. bro:see:: x509_certificate 
@@ -1738,10 +1731,6 @@ type X509: record {
 	not_valid_after: time;	##< Timestamp after when certificate is not valid.
 };
 
-# This is indexed with the CA's name and yields a DER (binary) encoded certificate.
-# todo::Is this still used?
-# const root_ca_certs: table[string] of string = {} &redef;
-
 ## HTTP session statistics.
 ##
 ## .. bro:see:: http_stats 
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 9d16ab18ba..ab130c4318 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -13,7 +13,7 @@ export {
 		[TLSv10] = "TLSv10",
 		[TLSv11] = "TLSv11",
 		[TLSv12] = "TLSv12",
-	} &default="UNKNOWN";
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between numeric codes and human readable strings for alert 
 	## levels.
@@ -535,7 +535,7 @@ export {
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
-	} &default="UNKNOWN";
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	
 	## Mapping between the constants and string values for SSL/TLS errors.
 	const x509_errors: table[count] of string = {
@@ -573,6 +573,6 @@ export {
 		[31] = "keyusage no certsign",
 		[32] = "unable to get crl issuer",
 		[33] = "unhandled critical extension",
-	};
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 }
diff --git a/src/Brofiler.cc b/src/Brofiler.cc
index 783d027761..c9a3505069 100644
--- a/src/Brofiler.cc
+++ b/src/Brofiler.cc
@@ -1,4 +1,5 @@
 #include <cstdio>
+#include <cstring>
 #include <utility>
 #include <algorithm>
 #include "Brofiler.h"
@@ -48,10 +49,27 @@ bool Brofiler::WriteStats()
 	char* bf = getenv("BRO_PROFILER_FILE");
 	if ( ! bf ) return false;
 
-	FILE* f = fopen(bf, "w");
+	FILE* f;
+	const char* p = strstr(bf, ".XXXXXX");
+
+	if ( p && ! p[7] )
+		{
+		int fd = mkstemp(bf);
+		if ( fd == -1 )
+			{
+			reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s", bf);
+			return false;
+			}
+		f = fdopen(fd, "w");
+		}
+	else
+		{
+		f = fopen(bf, "w");
+		}
+
 	if ( ! f )
 		{
-		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing\n", bf);
+		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
 		return false;
 		}
 
diff --git a/src/Brofiler.h b/src/Brofiler.h
index edbe1e932c..22e5808bf6 100644
--- a/src/Brofiler.h
+++ b/src/Brofiler.h
@@ -26,7 +26,9 @@ public:
 	/**
 	 * Combines usage stats from current run with any read from ReadStats(),
 	 * then writes information to file pointed to by environment variable
-	 * BRO_PROFILER_FILE.
+	 * BRO_PROFILER_FILE.  If the value of that env. variable ends with
+	 * ".XXXXXX" (exactly 6 X's), then it is first passed through mkstemp
+	 * to get a unique file.
 	 *
 	 * @return: true when usage info is written, otherwise false.
 	 */
diff --git a/src/NetVar.cc b/src/NetVar.cc
index f9bd06413b..cf77c99f7a 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -47,15 +47,6 @@ int tcp_max_initial_window;
 int tcp_max_above_hole_without_any_acks;
 int tcp_excessive_data_without_further_acks;
 
-int ssl_compare_cipherspecs;
-int ssl_analyze_certificates;
-int ssl_store_certificates;
-int ssl_verify_certificates;
-int ssl_store_key_material;
-int ssl_max_cipherspec_size;
-StringVal* ssl_store_cert_path;
-StringVal* x509_trusted_cert_path;
-TableType* cipher_suites_list;
 RecordType* x509_type;
 
 double non_analyzed_lifetime;
@@ -192,8 +183,6 @@ StringVal* ssl_ca_certificate;
 StringVal* ssl_private_key;
 StringVal* ssl_passphrase;
 
-StringVal* x509_crl_file;
-
 Val* profiling_file;
 double profiling_interval;
 int expensive_profiling_multiple;
@@ -355,17 +344,7 @@ void init_net_var()
 	tcp_excessive_data_without_further_acks =
 		opt_internal_int("tcp_excessive_data_without_further_acks");
 
-	ssl_compare_cipherspecs  = opt_internal_int("ssl_compare_cipherspecs");
-	ssl_analyze_certificates = opt_internal_int("ssl_analyze_certificates");
-	ssl_store_certificates   = opt_internal_int("ssl_store_certificates");
-	ssl_verify_certificates  = opt_internal_int("ssl_verify_certificates");
-	ssl_store_key_material = opt_internal_int("ssl_store_key_material");
-	ssl_max_cipherspec_size  = opt_internal_int("ssl_max_cipherspec_size");
-
-	x509_trusted_cert_path = opt_internal_string("X509_trusted_cert_path");
-	ssl_store_cert_path = opt_internal_string("ssl_store_cert_path");
 	x509_type = internal_type("X509")->AsRecordType();
-	x509_crl_file = opt_internal_string("X509_crl_file");
 
 	non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime");
 	tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout");
diff --git a/src/NetVar.h b/src/NetVar.h
index acdafaea4c..0b0eed6e64 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -50,17 +50,7 @@ extern int tcp_max_initial_window;
 extern int tcp_max_above_hole_without_any_acks;
 extern int tcp_excessive_data_without_further_acks;
 
-// see policy/ssl.bro for details
-extern int ssl_compare_cipherspecs;
-extern int ssl_analyze_certificates;
-extern int ssl_store_certificates;
-extern int ssl_verify_certificates;
-extern int ssl_store_key_material;
-extern int ssl_max_cipherspec_size;
-extern StringVal* ssl_store_cert_path;
-extern StringVal* x509_trusted_cert_path;
 extern RecordType* x509_type;
-extern StringVal* x509_crl_file;
 
 extern double non_analyzed_lifetime;
 extern double tcp_inactivity_timeout;
diff --git a/src/X509.cc b/src/X509.cc
deleted file mode 100644
index 55b6b78f04..0000000000
--- a/src/X509.cc
+++ /dev/null
@@ -1,263 +0,0 @@
-#include <openssl/err.h>
-
-#include "X509.h"
-#include "config.h"
-
-// ### NOTE: while d2i_X509 does not take a const u_char** pointer,
-// here we assume d2i_X509 does not write to <data>, so it is safe to
-// convert data to a non-const pointer.  Could some X509 guru verify
-// this?
-
-X509* d2i_X509_(X509** px, const u_char** in, int len)
-	{
-#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
-	  return d2i_X509(px, in, len);
-#else
-	  return d2i_X509(px, (u_char**)in, len);
-#endif
-	}
-
-X509_STORE* X509_Cert::ctx = 0;
-X509_LOOKUP* X509_Cert::lookup = 0;
-X509_STORE_CTX X509_Cert::csc;
-bool X509_Cert::bInited = false;
-
-// TODO: Check if Key < 768 Bits => Weakness!
-// FIXME: Merge verify and verifyChain.
-
-void X509_Cert::sslCertificateEvent(Contents_SSL* e, X509* pCert)
-	{
-	EventHandlerPtr event = ssl_certificate;
-	if ( ! event )
-		return;
-
-	char tmp[256];
-	RecordVal* pX509Cert = new RecordVal(x509_type);
-
-	X509_NAME_oneline(X509_get_issuer_name(pCert), tmp, sizeof tmp);
-	pX509Cert->Assign(0, new StringVal(tmp));
-	X509_NAME_oneline(X509_get_subject_name(pCert), tmp, sizeof tmp);
-	pX509Cert->Assign(1, new StringVal(tmp));
-	pX509Cert->Assign(2, new AddrVal(e->Conn()->OrigAddr()));
-
-	val_list* vl = new val_list;
-	vl->append(e->BuildConnVal());
-	vl->append(pX509Cert);
-	vl->append(new Val(e->IsOrig(), TYPE_BOOL));
-
-	e->Conn()->ConnectionEvent(event, e, vl);
-	}
-
-void X509_Cert::sslCertificateError(Contents_SSL* e, int error_numbe)
-	{
-	Val* err_str = new StringVal(X509_verify_cert_error_string(csc.error));
-	val_list* vl = new val_list;
-
-	vl->append(e->BuildConnVal());
-	vl->append(new Val(csc.error, TYPE_INT));
-	vl->append(err_str);
-
-	e->Conn()->ConnectionEvent(ssl_X509_error, e, vl);
-	}
-
-int X509_Cert::init()
-	{
-#if 0
-	OpenSSL_add_all_algorithms();
-#endif
-
-	ctx = X509_STORE_new();
-	int flag = 0;
-	int ret = 0;
-
-	if ( x509_trusted_cert_path &&
-	     x509_trusted_cert_path->AsString()->Len() > 0 )
-		{ // add the path(s) for the local CA's certificates
-		const BroString* pString = x509_trusted_cert_path->AsString();
-
-		lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());
-		if ( ! lookup )
-			{
-			reporter->Error("X509_Cert::init(): initing lookup failed\n");
-			flag = 1;
-			}
-
-		int i = X509_LOOKUP_add_dir(lookup,
-				(const char*) pString->Bytes(),
-				X509_FILETYPE_PEM);
-		if ( ! i )
-			{
-			reporter->Error("X509_Cert::init(): error adding lookup directory\n");
-			ret = 0;
-			}
-		}
-	else
-		{
-		printf("X509: Using the default trusted cert path.\n");
-		X509_STORE_set_default_paths(ctx);
-		}
-
-	// Add crl functionality - will only add if defined and
-	// X509_STORE_add_lookup was successful.
-	if ( ! flag && x509_crl_file && x509_crl_file->AsString()->Len() > 0 )
-		{
-		const BroString* rString = x509_crl_file->AsString();
-
-		if ( X509_load_crl_file(lookup, (const char*) rString->Bytes(),
-					X509_FILETYPE_PEM) != 1 )
-			{
-			reporter->Error("X509_Cert::init(): error reading CRL file\n");
-			ret = 1;
-			}
-
-#if 0
-		// Note, openssl version must be > 0.9.7(a).
-		X509_STORE_set_flags(ctx,
-			X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#endif
-		}
-
-	bInited = true;
-	return ret;
-	}
-
-int X509_Cert::verify(Contents_SSL* e, const u_char* data, uint32 len)
-	{
-	if ( ! bInited )
-		init();
-
-	X509* pCert = d2i_X509_(NULL, &data, len);
-	if ( ! pCert )
-		{
-		// 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-		sslCertificateError(e, 5);
-		return -1;
-		}
-
-	sslCertificateEvent(e, pCert);
-
-	X509_STORE_CTX_init(&csc, ctx, pCert, 0);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
-	int i = X509_verify_cert(&csc);
-	X509_STORE_CTX_cleanup(&csc);
-	int ret = 0;
-
-	int ext = X509_get_ext_count(pCert);
-
-	if ( ext > 0 )
-		{
-		TableVal* x509ex = new TableVal(x509_extension);
-		val_list* vl = new val_list;
-		char buf[256];
-
-		for ( int k = 0; k < ext; ++k )
-			{
-			X509_EXTENSION* ex = X509_get_ext(pCert, k);
-			ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex);
-			i2t_ASN1_OBJECT(buf, sizeof(buf), obj);
-
-			Val* index = new Val(k+1, TYPE_COUNT);
-			Val* value = new StringVal(strlen(buf), buf);
-			x509ex->Assign(index, value);
-			Unref(index);
-			// later we can do critical extensions like:
-			// X509_EXTENSION_get_critical(ex);
-			}
-
-		vl->append(e->BuildConnVal());
-		vl->append(x509ex);
-		e->Conn()->ConnectionEvent(process_X509_extensions, e, vl);
-		}
-
-	if ( ! i )
-		{
-		sslCertificateError(e, csc.error);
-		ret = csc.error;
-		}
-	else
-		ret = 0;
-
-	delete pCert;
-	return ret;
-	}
-
-int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len)
-	{
-	if ( ! bInited )
-		init();
-
-	// Gets an ssl3x cert chain (could be one single cert, too,
-	// but in chain format).
-
-	// Init the stack.
-	STACK_OF(X509)* untrustedCerts = sk_X509_new_null();
-	if ( ! untrustedCerts )
-		{
-		// Internal error allocating stack of untrusted certs.
-		// 11 = X509_V_ERR_OUT_OF_MEM
-		sslCertificateError(e, 11);
-		return -1;
-		}
-
-	// NOT AGAIN!!!
-	// Extract certificates and put them into an OpenSSL Stack.
-	uint tempLength = 0;
-	int certCount = 0;
-	X509* pCert = 0; // base cert, this one is to be verified
-
-	while ( tempLength < len )
-		{
-		++certCount;
-		uint32 certLength =
-			uint32((data[tempLength + 0] << 16) |
-			       data[tempLength + 1] << 8) |
-			data[tempLength + 2];
-
-		// Points to current cert.
-		const u_char* pCurrentCert = &data[tempLength+3];
-
-		X509* pTemp = d2i_X509_(0, &pCurrentCert, certLength);
-		if ( ! pTemp )
-			{ // error is somewhat of a misnomer
-			// 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
-			sslCertificateError(e, 5);
-			//FIXME: free ptrs
-			return -1;
-			}
-
-		if ( certCount == 1 )
-			// The first certificate goes directly into the ctx.
-			pCert = pTemp;
-		else
-			// The remaining certificates (if any) are put into
-			// the list of untrusted certificates
-			sk_X509_push(untrustedCerts, pTemp);
-
-		tempLength += certLength + 3;
-		}
-
-	sslCertificateEvent(e, pCert);
-
-	X509_STORE_CTX_init(&csc, ctx, pCert, untrustedCerts);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
-	int i = X509_verify_cert(&csc);
-	X509_STORE_CTX_cleanup(&csc);
-	//X509_STORE_CTX_free(&csc);
-	int ret = 0;
-
-	if ( ! i )
-		{
-		sslCertificateError(e, csc.error);
-		ret = csc.error;
-		}
-	else
-		ret = 0;
-
-	delete pCert;
-	// Free the stack, incuding. contents.
-
-	// FIXME: could this break Bro's memory tracking?
-	sk_X509_pop_free(untrustedCerts, X509_free);
-
-	return ret;
-	}
diff --git a/src/event.bif b/src/event.bif
index 1423750f29..0578664f54 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -4594,7 +4594,6 @@ event ssh_server_version%(c: connection, version: string%);
 ##
 ## .. bro:see:: ssl_alert  ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
-##    ssl_max_cipherspec_size
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set%);
 
 ## Generated for an SSL/TLS servers's initial *hello* message. SSL/TLS sessions
@@ -4625,7 +4624,6 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, sessio
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate x509_error x509_extension
-##    ssl_max_cipherspec_size
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS sessions
diff --git a/testing/Makefile b/testing/Makefile
index f65d5a1fef..1c82580ec4 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -12,6 +12,7 @@ make-brief:
 	@for repo in $(DIRS); do (cd $$repo && make brief ); done
 
 coverage:
+	@for repo in $(DIRS); do (cd $$repo && echo "Coverage for '$$repo' dir:" && make coverage); done
 	@test -f btest/coverage.log && cp btest/coverage.log `mktemp brocov.tmp.XXX` || true
 	@for f in external/*/coverage.log; do test -f $$f && cp $$f `mktemp brocov.tmp.XXX` || true; done
 	@echo "Complete test suite code coverage:"
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
index a2ca30609a..caf0a786f7 100644
--- a/testing/btest/Makefile
+++ b/testing/btest/Makefile
@@ -2,16 +2,23 @@
 DIAG=diag.log
 BTEST=../../aux/btest/btest
 
-all: cleanup
-    # Showing all tests.
-	@$(BTEST) -f $(DIAG)
-	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+all: cleanup btest-verbose coverage
 
-brief: cleanup
-    # Brief output showing only failed tests.
+# Showing all tests.
+btest-verbose:
+	@$(BTEST) -f $(DIAG)
+
+brief: cleanup btest-brief coverage
+
+# Brief output showing only failed tests.
+btest-brief:
 	@$(BTEST) -b -f $(DIAG)
+
+coverage:
 	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
 
 cleanup:
 	@rm -f $(DIAG)
 	@rm -f .tmp/script-coverage*
+
+.PHONY: all btest-verbose brief btest-brief coverage cleanup
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index c0d3c1fd20..4c4074ee24 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -18,4 +18,4 @@ DIST=%(testbase)s/../..
 BUILD=%(testbase)s/../../build
 TEST_DIFF_CANONIFIER=$SCRIPTS/diff-canonifier
 TMPDIR=%(testbase)s/.tmp
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.bro
index 3d3fdc6f09..2816750758 100644
--- a/testing/btest/core/leaks/dns.bro
+++ b/testing/btest/core/leaks/dns.bro
@@ -1,5 +1,7 @@
 # Needs perftools support.
 #
+# @TEST-GROUP: leaks
+#
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace %INPUT
diff --git a/testing/btest/core/leaks/test-all.bro b/testing/btest/core/leaks/test-all.bro
index 6e605372c9..f217cc229c 100644
--- a/testing/btest/core/leaks/test-all.bro
+++ b/testing/btest/core/leaks/test-all.bro
@@ -1,5 +1,7 @@
 # Needs perftools support.
 #
+# @TEST-GROUP: leaks
+#
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace test-all-policy
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
index d567d58c0c..b7ab5bdb05 100644
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ b/testing/btest/istate/broccoli-ipv6.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broccoli-v6addrs.bro
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
index 6b88794f73..235ff9119c 100644
--- a/testing/btest/istate/broccoli.bro
+++ b/testing/btest/istate/broccoli.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
index 5a41e1683b..25aa2dc8fb 100644
--- a/testing/btest/istate/events-ssl.bro
+++ b/testing/btest/istate/events-ssl.bro
@@ -1,4 +1,5 @@
-# 
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
 # @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
 # @TEST-EXEC: btest-bg-wait -k 20
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
index a0dc494ced..81a1d765db 100644
--- a/testing/btest/istate/events.bro
+++ b/testing/btest/istate/events.bro
@@ -1,4 +1,5 @@
-# 
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
 # @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
 # @TEST-EXEC: btest-bg-wait -k 20
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
index 4e192fcfb6..1a5830b41a 100644
--- a/testing/btest/istate/pybroccoli.py
+++ b/testing/btest/istate/pybroccoli.py
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
 #
diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro
index 1ccdc5538c..db5ea0bbb4 100644
--- a/testing/btest/istate/sync.bro
+++ b/testing/btest/istate/sync.bro
@@ -1,3 +1,4 @@
+# @TEST-GROUP: comm
 #
 # @TEST-EXEC: btest-bg-run sender   bro %INPUT ../sender.bro
 # @TEST-EXEC: btest-bg-run receiver bro %INPUT ../receiver.bro
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
index b8ee4c33e8..d7b552d962 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
index dc3b43ad67..85b23dbdc0 100644
--- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
+++ b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
@@ -1,4 +1,5 @@
-# 
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run receiver bro -b ../receiver.bro
 # @TEST-EXEC: btest-bg-run sender   bro -b ../sender.bro
 # @TEST-EXEC: btest-bg-wait -k 10
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index 9b16faee69..d09105ca7a 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65531/tcp 
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
 # @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown
diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro
index e06fa46e74..7235521034 100644
--- a/testing/btest/scripts/base/frameworks/control/id_value.bro
+++ b/testing/btest/scripts/base/frameworks/control/id_value.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port=65532/tcp 
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var
 # @TEST-EXEC: btest-bg-wait -k 10
diff --git a/testing/btest/scripts/base/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro
index 9953a8382a..ec1ca6da16 100644
--- a/testing/btest/scripts/base/frameworks/control/shutdown.bro
+++ b/testing/btest/scripts/base/frameworks/control/shutdown.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65530/tcp 
 # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown
 # @TEST-EXEC: btest-bg-wait 10
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
index 4e866cc985..ce93495bc8 100644
--- a/testing/btest/scripts/base/frameworks/logging/remote-types.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
@@ -1,3 +1,4 @@
+# @TEST-GROUP: comm
 #
 # @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
 # @TEST-EXEC: btest-bg-run receiver bro --pseudo-realtime %INPUT ../receiver.bro
diff --git a/testing/btest/scripts/base/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro
index 8ed3405aed..bb1e5b8ce3 100644
--- a/testing/btest/scripts/base/frameworks/logging/remote.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remote.bro
@@ -1,3 +1,4 @@
+# @TEST-GROUP: comm
 #
 # @TEST-EXEC: btest-bg-run sender bro --pseudo-realtime %INPUT ../sender.bro
 # @TEST-EXEC: sleep 1
diff --git a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro
index 23b87053ab..b801074b33 100644
--- a/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/metrics/basic-cluster.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: sleep 1
diff --git a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro
index 45d44898aa..701d2ea378 100644
--- a/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro
+++ b/testing/btest/scripts/base/frameworks/metrics/cluster-intermediate-update.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: sleep 1
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
index 125d021d82..97470eaa7f 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: sleep 1
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
index e084fb74e0..d56d940e8e 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -1,3 +1,5 @@
+# @TEST-GROUP: comm
+#
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: sleep 1
diff --git a/testing/external/Makefile b/testing/external/Makefile
index 994d8962c0..b705734003 100644
--- a/testing/external/Makefile
+++ b/testing/external/Makefile
@@ -24,3 +24,7 @@ push:
 status:
 	@for repo in $(REPOS); do ( cd $$repo && echo '>>' $$repo && git status -bs && echo ); done
 
+coverage:
+	@for repo in $(REPOS); do (cd $$repo && echo "Coverage for '$$repo' repo:" && make coverage); done
+
+.PHONY: all brief init pull push status coverage
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index 7b1d59cb07..c4e74f99fa 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -17,4 +17,4 @@ TRACES=%(testbase)s/Traces
 SCRIPTS=%(testbase)s/../scripts
 DIST=%(testbase)s/../../..
 BUILD=%(testbase)s/../../../build
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
diff --git a/testing/scripts/btest-bg-run b/testing/scripts/btest-bg-run
deleted file mode 100755
index 64a38b9759..0000000000
--- a/testing/scripts/btest-bg-run
+++ /dev/null
@@ -1,7 +0,0 @@
-#! /usr/bin/env bash
-
-# This is a wrapper script to btest's real btest-bg-run.  It's used
-# when collecting Bro script coverage statistics so that two independent
-# Bro processing don't try to write those usage statistics to the same file.
-
-BRO_PROFILER_FILE=`mktemp $TMPDIR/script-coverage.XXXX` $BTEST_PATH/btest-bg-run $@
diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external
index 1f953183d3..6796614362 100755
--- a/testing/scripts/diff-canonifier-external
+++ b/testing/scripts/diff-canonifier-external
@@ -6,3 +6,4 @@
     | `dirname $0`/diff-remove-uids \
     | `dirname $0`/diff-remove-mime-types \
     | `dirname $0`/diff-remove-x509-names \
+    | `dirname $0`/diff-sort
diff --git a/testing/scripts/diff-sort b/testing/scripts/diff-sort
new file mode 100755
index 0000000000..08b36c79bf
--- /dev/null
+++ b/testing/scripts/diff-sort
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# A diff canonifier that sorts all lines but keeps all comments
+# at the top. It also adds a note at the beginning as a reminder
+# that the output has been sorted.
+
+if [ "$TMP" == "" ]; then
+    TMP=/tmp
+fi
+
+tmp=$TMP/`basename $0`.$$.tmp
+
+cat >$tmp
+
+echo "### NOTE: This file has been sorted with `basename $0`."
+cat $tmp | grep ^#
+cat $tmp | grep -v ^# | sort -s
+
+rm -f $tmp