diff --git a/CHANGES b/CHANGES
index c02fe4675f..a1738fffe4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.3-685 | 2015-04-09 14:52:11 -0700
+
+  * Remove stale signature benchmarking code (-L command-line option).
+    (Jon Siwek)
+
+  * BIT-844: fix UDP payload signatures to match packet-wise. (Jon
+    Siwek)
+
 2.3-682 | 2015-04-09 12:07:00 -0700
 
   * Fixing input readers' component type. (Robin Sommer)
diff --git a/VERSION b/VERSION
index 5b8b63a8bf..7afb8c6093 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3-682
+2.3-685
diff --git a/aux/binpac b/aux/binpac
index ab50e5115b..544330932e 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit ab50e5115bc0d217552a63f15382e45ed608f5fc
+Subproject commit 544330932e7cd4615d6d19f63907e8aa2acebb9e
diff --git a/src/RE.cc b/src/RE.cc
index 4855b0e39a..f52eff47eb 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -20,9 +20,6 @@ int case_insensitive = 0;
 extern int RE_parse(void);
 extern void RE_set_input(const char* str);
 
-// If true, the set-wise matching always returns false - for benchmarking.
-extern int rule_bench;
-
 Specific_RE_Matcher::Specific_RE_Matcher(match_type arg_mt, int arg_multiline)
 : equiv_class(NUM_SYM)
 	{
@@ -279,9 +276,6 @@ inline void RE_Match_State::AddMatches(const AcceptingSet& as,
 bool RE_Match_State::Match(const u_char* bv, int n,
 				bool bol, bool eol, bool clear)
 	{
-	if ( rule_bench > 0 )
-		return false;
-
 	if ( current_pos == -1 )
 		{
 		// First call to Match().
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index ca08388b10..1fb5e21d67 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -577,9 +577,6 @@ RuleFileMagicState* RuleMatcher::InitFileMagic() const
 	{
 	RuleFileMagicState* state = new RuleFileMagicState();
 
-	if ( rule_bench == 3 )
-		return state;
-
 	loop_over_list(root->psets[Rule::FILE_MAGIC], i)
 		{
 		RuleHdrTest::PatternSet* set = root->psets[Rule::FILE_MAGIC][i];
@@ -630,9 +627,6 @@ RuleMatcher::MIME_Matches* RuleMatcher::Match(RuleFileMagicState* state,
 		return rval;
 		}
 
-	if ( rule_bench >= 2 )
-		return rval;
-
 #ifdef DEBUG
 	if ( debug_logger.IsEnabled(DBG_RULES) )
 		{
@@ -712,9 +706,6 @@ RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
 	RuleEndpointState* state =
 		new RuleEndpointState(analyzer, from_orig, opposite, pia);
 
-	if ( rule_bench == 3 )
-		return state;
-
 	rule_hdr_test_list tests;
 	tests.append(root);
 
@@ -837,9 +828,6 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 	// for 'accepted' (that depends on the average number of matching
 	// patterns).
 
-	if ( rule_bench >= 2 )
-		return;
-
 	bool newmatch = false;
 
 #ifdef DEBUG
@@ -956,9 +944,6 @@ void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
 
 void RuleMatcher::FinishEndpoint(RuleEndpointState* state)
 	{
-	if ( rule_bench == 3 )
-		return;
-
 	// Send EOL to payload matchers.
 	Match(state, Rule::PAYLOAD, (const u_char *) "", 0, false, true, false);
 
@@ -1110,15 +1095,7 @@ void RuleMatcher::ExecRule(Rule* rule, RuleEndpointState* state, bool eos)
 
 void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
 	{
-	if ( rule_bench == 3 )
-		return;
-
-	ExecPureRules(state, 1);
 	state->payload_size = -1;
-	state->matched_by_patterns.clear();
-	loop_over_list(state->matched_text, i)
-		delete state->matched_text[i];
-	state->matched_text.clear();
 
 	loop_over_list(state->matchers, j)
 		state->matchers[j]->state->Clear();
@@ -1126,9 +1103,6 @@ void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
 
 void RuleMatcher::ClearFileMagicState(RuleFileMagicState* state) const
 	{
-	if ( rule_bench == 3 )
-		return;
-
 	loop_over_list(state->matchers, j)
 		state->matchers[j]->state->Clear();
 	}
@@ -1496,8 +1470,12 @@ void RuleMatcherState::ClearMatchState(bool orig)
 	if ( ! rule_matcher )
 		return;
 
-	if ( orig_match_state )
-		rule_matcher->ClearEndpointState(orig_match_state);
-	if ( resp_match_state )
+	if ( orig )
+		{
+		if ( orig_match_state )
+			rule_matcher->ClearEndpointState(orig_match_state);
+		}
+
+	else if ( resp_match_state )
 		rule_matcher->ClearEndpointState(resp_match_state);
 	}
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index da2838cb6d..6ffc971db1 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -22,8 +22,6 @@
 
 //#define MATCHER_PRINT_STATS
 
-extern int rule_bench;
-
 // Parser interface:
 
 extern void rules_error(const char* msg);
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 69a0c5d312..1adeb54a2d 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -81,7 +81,7 @@ void PIA::PIA_Done()
 	}
 
 void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq,
-				const IP_Hdr* ip, int caplen)
+				const IP_Hdr* ip, int caplen, bool clear_state)
 	{
 	if ( pkt_buffer.state == SKIPPING )
 		return;
@@ -108,6 +108,9 @@ void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, uint64 se
 	// FIXME: I'm not sure why it does not work with eol=true...
 	DoMatch(data, len, is_orig, true, false, false, ip);
 
+	if ( clear_state )
+		RuleMatcherState::ClearMatchState(is_orig);
+
 	pkt_buffer.state = new_state;
 
 	current_packet.data = 0;
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index d6e07f68c3..85683289a9 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -42,7 +42,7 @@ public:
 protected:
 	void PIA_Done();
 	void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
-				uint64 seq, const IP_Hdr* ip, int caplen);
+				uint64 seq, const IP_Hdr* ip, int caplen, bool clear_state);
 
 	enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
 
@@ -109,7 +109,7 @@ protected:
 					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
 	virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
@@ -154,7 +154,7 @@ protected:
 					uint64 seq, const IP_Hdr* ip, int caplen)
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
-		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
 		}
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
diff --git a/src/main.cc b/src/main.cc
index 24c19c19d9..d7259a7246 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -117,7 +117,6 @@ SampleLogger* sample_logger = 0;
 int signal_val = 0;
 int optimize = 0;
 int do_notice_analysis = 0;
-int rule_bench = 0;
 extern char version[];
 char* command_line_policy = 0;
 vector<string> params;
@@ -195,7 +194,6 @@ void usage()
 	fprintf(stderr, "    -F|--force-dns                 | force DNS\n");
 	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
 	fprintf(stderr, "    -K|--md5-hashkey <hashkey>     | set key for MD5-keyed hashing\n");
-	fprintf(stderr, "    -L|--rule-benchmark            | benchmark for rules\n");
 	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN for verbose)\n");
 	fprintf(stderr, "    -O|--optimize                  | optimize policy script\n");
 	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
@@ -503,7 +501,6 @@ int main(int argc, char** argv)
 		{"save-seeds",		required_argument,	0,	'H'},
 		{"set-seed",		required_argument,	0,	'J'},
 		{"md5-hashkey",		required_argument,	0,	'K'},
-		{"rule-benchmark",	no_argument,		0,	'L'},
 		{"print-plugins",	no_argument,		0,	'N'},
 		{"optimize",		no_argument,		0,	'O'},
 		{"prime-dns",		no_argument,		0,	'P'},
@@ -668,10 +665,6 @@ int main(int argc, char** argv)
 			hmac_key_set = 1;
 			break;
 
-		case 'L':
-			++rule_bench;
-			break;
-
 		case 'N':
 			++print_plugins;
 			break;
diff --git a/testing/btest/Baseline/signatures.udp-packetwise-match/out b/testing/btest/Baseline/signatures.udp-packetwise-match/out
new file mode 100644
index 0000000000..f0ea6c449e
--- /dev/null
+++ b/testing/btest/Baseline/signatures.udp-packetwise-match/out
@@ -0,0 +1,6 @@
+signature match, Found XXXX, XXXX
+signature match, Found ^XXXX, XXXX
+signature match, Found .*XXXX, XXXX
+signature match, Found YYYY, YYYY
+signature match, Found ^YYYY, YYYY
+signature match, Found .*YYYY, YYYY
diff --git a/testing/btest/Traces/udp-signature-test.pcap b/testing/btest/Traces/udp-signature-test.pcap
new file mode 100644
index 0000000000..01a880fae1
Binary files /dev/null and b/testing/btest/Traces/udp-signature-test.pcap differ
diff --git a/testing/btest/signatures/udp-packetwise-match.bro b/testing/btest/signatures/udp-packetwise-match.bro
new file mode 100644
index 0000000000..66551afee3
--- /dev/null
+++ b/testing/btest/signatures/udp-packetwise-match.bro
@@ -0,0 +1,53 @@
+# @TEST-EXEC: bro -r $TRACES/udp-signature-test.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load-sigs test.sig
+
+@TEST-START-FILE test.sig
+signature xxxx {
+ ip-proto = udp
+ payload /XXXX/
+ event "Found XXXX"
+}
+
+signature axxxx {
+ ip-proto = udp
+ payload /^XXXX/
+ event "Found ^XXXX"
+}
+
+signature sxxxx {
+ ip-proto = udp
+ payload /.*XXXX/
+ event "Found .*XXXX"
+}
+
+signature yyyy {
+ ip-proto = udp
+ payload /YYYY/
+ event "Found YYYY"
+}
+
+signature ayyyy {
+ ip-proto = udp
+ payload /^YYYY/
+ event "Found ^YYYY"
+}
+
+signature syyyy {
+ ip-proto = udp
+ payload /.*YYYY/
+ event "Found .*YYYY"
+}
+
+signature nope {
+ ip-proto = udp
+ payload /.*nope/
+ event "Found .*nope"
+}
+@TEST-END-FILE
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	print "signature match", msg, data;
+	}