From a6cb85d86a0a4b233e71a99dbc3b8ac1dc24f823 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 16 Mar 2016 15:50:13 -0700
Subject: [PATCH 01/12] Add filter_subnet_table bif

This bif works similar to the matching_subnet bif. The difference is
that, instead of returning a vector of the subnets that match, we return
a filtered view of the original set/table only containing the changed
subnets.

This commit also fixes a small bug in TableVal::UpdateTimestamp
(ReadOperation only has to be called when LoggingAccess() is true).
---
 src/PrefixTable.cc                            |  8 +--
 src/PrefixTable.h                             |  4 +-
 src/Val.cc                                    | 50 ++++++++++++++++++-
 src/Val.h                                     | 10 ++++
 src/bro.bif                                   | 35 +++++++------
 .../Baseline/bifs.filter_subnet_table/output  | 20 ++++++++
 testing/btest/bifs/filter_subnet_table.bro    | 49 ++++++++++++++++++
 7 files changed, 153 insertions(+), 23 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.filter_subnet_table/output
 create mode 100644 testing/btest/bifs/filter_subnet_table.bro

diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc
index 27f7c48c36..007e08349c 100644
--- a/src/PrefixTable.cc
+++ b/src/PrefixTable.cc
@@ -62,9 +62,9 @@ void* PrefixTable::Insert(const Val* value, void* data)
 	}
 	}
 
-list<IPPrefix> PrefixTable::FindAll(const IPAddr& addr, int width) const
+list<tuple<IPPrefix,void*>> PrefixTable::FindAll(const IPAddr& addr, int width) const
 	{
-	std::list<IPPrefix> out;
+	std::list<tuple<IPPrefix,void*>> out;
 	prefix_t* prefix = MakePrefix(addr, width);
 
 	int elems = 0;
@@ -73,14 +73,14 @@ list<IPPrefix> PrefixTable::FindAll(const IPAddr& addr, int width) const
 	patricia_search_all(tree, prefix, &list, &elems);
 
 	for ( int i = 0; i < elems; ++i )
-		out.push_back(PrefixToIPPrefix(list[i]->prefix));
+		out.push_back(std::make_tuple(PrefixToIPPrefix(list[i]->prefix), list[i]->data));
 
 	Deref_Prefix(prefix);
 	free(list);
 	return out;
 	}
 
-list<IPPrefix> PrefixTable::FindAll(const SubNetVal* value) const
+list<tuple<IPPrefix,void*>> PrefixTable::FindAll(const SubNetVal* value) const
 	{
 	return FindAll(value->AsSubNet().Prefix(), value->AsSubNet().LengthIPv6());
 	}
diff --git a/src/PrefixTable.h b/src/PrefixTable.h
index 8c329c93a9..6606b77e81 100644
--- a/src/PrefixTable.h
+++ b/src/PrefixTable.h
@@ -37,8 +37,8 @@ public:
 	void* Lookup(const Val* value, bool exact = false) const;
 
 	// Returns list of all found matches or empty list otherwise.
-	list<IPPrefix> FindAll(const IPAddr& addr, int width) const;
-	list<IPPrefix> FindAll(const SubNetVal* value) const;
+	list<tuple<IPPrefix,void*>> FindAll(const IPAddr& addr, int width) const;
+	list<tuple<IPPrefix,void*>> FindAll(const SubNetVal* value) const;
 
 	// Returns pointer to data or nil if not found.
 	void* Remove(const IPAddr& addr, int width);
diff --git a/src/Val.cc b/src/Val.cc
index 01a849c639..35233e9056 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1833,6 +1833,54 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 	return def;
 	}
 
+VectorVal* TableVal::LookupSubnets(const SubNetVal* search)
+	{
+	if ( ! subnets )
+			reporter->InternalError("LookupSubnets called on wrong table type");
+
+	VectorVal* result = new VectorVal(internal_type("subnet_vec")->AsVectorType());
+
+	auto matches = subnets->FindAll(search);
+	for ( auto element : matches )
+		{
+		SubNetVal* s = new SubNetVal(get<0>(element));
+		result->Assign(result->Size(), s);
+		}
+
+	return result;
+	}
+
+TableVal* TableVal::LookupSubnetValues(const SubNetVal* search)
+	{
+	if ( ! subnets )
+			reporter->InternalError("LookupSubnetValues called on wrong table type");
+
+	TableVal* nt = new TableVal(this->Type()->Ref()->AsTableType());
+
+	auto matches = subnets->FindAll(search);
+	for ( auto element : matches )
+		{
+		SubNetVal* s = new SubNetVal(get<0>(element));
+		TableEntryVal* entry = reinterpret_cast<TableEntryVal*>(get<1>(element));
+
+		if ( entry && entry->Value() )
+			nt->Assign(s, entry->Value()->Ref());
+		else
+			nt->Assign(s, 0); // set
+
+		if ( entry )
+			{
+			entry->SetExpireAccess(network_time);
+			if ( LoggingAccess() && attrs->FindAttr(ATTR_EXPIRE_READ) )
+				ReadOperation(s, entry);
+			}
+
+		Unref(s); // assign does not consume index
+		}
+
+	return nt;
+	}
+
 bool TableVal::UpdateTimestamp(Val* index)
 	{
 	TableEntryVal* v;
@@ -1854,7 +1902,7 @@ bool TableVal::UpdateTimestamp(Val* index)
 		return false;
 
 	v->SetExpireAccess(network_time);
-	if ( attrs->FindAttr(ATTR_EXPIRE_READ) )
+	if ( LoggingAccess() && attrs->FindAttr(ATTR_EXPIRE_READ) )
 		ReadOperation(index, v);
 
 	return true;
diff --git a/src/Val.h b/src/Val.h
index fdc60436bf..a49a2e2235 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -790,6 +790,16 @@ public:
 	// need to Ref/Unref it when calling the default function.
 	Val* Lookup(Val* index, bool use_default_val = true);
 
+	// For a table[subnet]/set[subnet], return all subnets that cover
+	// the given subnet.
+	// Causes an internal error if called for any other kind of table.
+	VectorVal* LookupSubnets(const SubNetVal* s);
+
+	// For a set[subnet]/table[subnet], return a new table that only contains
+	// entries that cover the given subnet.
+	// Causes an internal error if called for any other kind of table.
+	TableVal* LookupSubnetValues(const SubNetVal* s);
+
 	// Sets the timestamp for the given index to network time.
 	// Returns false if index does not exist.
 	bool UpdateTimestamp(Val* index);
diff --git a/src/bro.bif b/src/bro.bif
index 38f588d675..2c55c2bc95 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1031,7 +1031,7 @@ function clear_table%(v: any%): any
 	return 0;
 	%}
 
-## Gets all subnets that match a given subnet from a set/table[subnet]
+## Gets all subnets that contain a given subnet from a set/table[subnet]
 ##
 ## search: the subnet to search for.
 ##
@@ -1046,23 +1046,26 @@ function matching_subnets%(search: subnet, t: any%): subnet_vec
 		return nullptr;
 		}
 
-	const PrefixTable* pt = t->AsTableVal()->Subnets();
-	if ( ! pt )
+	return t->AsTableVal()->LookupSubnets(search);
+	%}
+
+## For a set[subnet]/table[subnet], create a new table that contains all entries that
+## contain a given subnet.
+##
+## search: the subnet to search for.
+##
+## t: the set[subnet] or table[subnet].
+##
+## Returns: A new table that contains all the entries that cover the subnet searched for.
+function filter_subnet_table%(search: subnet, t: any%): any
+	%{
+	if ( t->Type()->Tag() != TYPE_TABLE || ! t->Type()->AsTableType()->IsSubNetIndex() )
 		{
-		reporter->Error("matching_subnets encountered nonexisting prefix table.");
+		reporter->Error("filter_subnet_table needs to be called on a set[subnet]/table[subnet].");
 		return nullptr;
 		}
 
-	VectorVal* result_v = new VectorVal(internal_type("subnet_vec")->AsVectorType());
-
-	auto matches = pt->FindAll(search);
-	for ( auto element : matches )
-		{
-		SubNetVal* s = new SubNetVal(element);
-		result_v->Assign(result_v->Size(), s);
-		}
-
-	return result_v;
+	return t->AsTableVal()->LookupSubnetValues(search);
 	%}
 
 ## Checks if a specific subnet is a member of a set/table[subnet].
@@ -1078,14 +1081,14 @@ function check_subnet%(search: subnet, t: any%): bool
 	%{
 	if ( t->Type()->Tag() != TYPE_TABLE || ! t->Type()->AsTableType()->IsSubNetIndex() )
 		{
-		reporter->Error("matching_subnets needs to be called on a set[subnet]/table[subnet].");
+		reporter->Error("check_subnet needs to be called on a set[subnet]/table[subnet].");
 		return nullptr;
 		}
 
 	const PrefixTable* pt = t->AsTableVal()->Subnets();
 	if ( ! pt )
 		{
-		reporter->Error("matching_subnets encountered nonexisting prefix table.");
+		reporter->Error("check_subnet encountered nonexisting prefix table.");
 		return nullptr;
 		}
 
diff --git a/testing/btest/Baseline/bifs.filter_subnet_table/output b/testing/btest/Baseline/bifs.filter_subnet_table/output
new file mode 100644
index 0000000000..d86ca621a5
--- /dev/null
+++ b/testing/btest/Baseline/bifs.filter_subnet_table/output
@@ -0,0 +1,20 @@
+{
+10.0.0.0/8,
+10.2.0.2/31,
+10.2.0.0/16
+}
+{
+[10.0.0.0/8] = a,
+[10.2.0.2/31] = c,
+[10.2.0.0/16] = b
+}
+{
+[10.0.0.0/8] = a,
+[10.3.0.0/16] = e
+}
+{
+
+}
+{
+
+}
diff --git a/testing/btest/bifs/filter_subnet_table.bro b/testing/btest/bifs/filter_subnet_table.bro
new file mode 100644
index 0000000000..7659096a71
--- /dev/null
+++ b/testing/btest/bifs/filter_subnet_table.bro
@@ -0,0 +1,49 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+global testa: set[subnet] = {
+	10.0.0.0/8,
+	10.2.0.0/16,
+	10.2.0.2/31,
+	10.1.0.0/16,
+	10.3.0.0/16,
+	5.0.0.0/8,
+	5.5.0.0/25,
+	5.2.0.0/32,
+	7.2.0.0/32,
+	[2607:f8b0:4008:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/64,
+	[2607:f8b0:4007:807::200e]/128
+};
+
+global testb: table[subnet] of string = {
+	[10.0.0.0/8] = "a",
+	[10.2.0.0/16] = "b",
+	[10.2.0.2/31] = "c",
+	[10.1.0.0/16] = "d",
+	[10.3.0.0/16] = "e",
+	[5.0.0.0/8] = "f",
+	[5.5.0.0/25] = "g",
+	[5.2.0.0/32] = "h",
+	[7.2.0.0/32] = "i",
+	[[2607:f8b0:4008:807::200e]/64] = "j",
+	[[2607:f8b0:4007:807::200e]/64] = "k",
+	[[2607:f8b0:4007:807::200e]/128] = "l"
+};
+
+
+event bro_init()
+	{
+	local c = filter_subnet_table(10.2.0.2/32, testa);
+	print c;
+	c = filter_subnet_table(10.2.0.2/32, testb);
+	print c;
+	c = filter_subnet_table(10.3.0.2/32, testb);
+	print c;
+	c = filter_subnet_table(1.0.0.0/8, testb);
+	print c;
+
+	local unspecified: table[subnet] of string = table();
+	c = filter_subnet_table(10.2.0.2/32, unspecified);
+	print c;
+	}

From e8bdf14bfd2c08a43f9a26fa301ce253cf72e3ec Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 17 Mar 2016 13:49:06 -0500
Subject: [PATCH 02/12] Call ProtocolConfirmation in MySQL analyzer.

---
 src/analyzer/protocol/mysql/mysql-analyzer.pac | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 2108401436..cd3c6ffd5c 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -19,6 +19,10 @@ refine flow MySQL_Flow += {
 
 	function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
 		%{
+    if ( ${msg.version} == 9 || ${msg.version == 10} )
+    	{
+    	connection()->bro_analyzer()->ProtocolConfirmation();
+      }
 		if ( mysql_handshake )
 			{
 			if ( ${msg.version} == 10 )

From a5f4e8aafea1ab20fe266f384692904f4253b73a Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Thu, 17 Mar 2016 19:53:22 +0100
Subject: [PATCH 03/12] Added &read_expire testcase for subnet tables

---
 .../Baseline/language.expire_subnet/output    | 27 ++++++
 testing/btest/language/expire_subnet.test     | 96 +++++++++++++++++++
 2 files changed, 123 insertions(+)
 create mode 100644 testing/btest/Baseline/language.expire_subnet/output
 create mode 100644 testing/btest/language/expire_subnet.test

diff --git a/testing/btest/Baseline/language.expire_subnet/output b/testing/btest/Baseline/language.expire_subnet/output
new file mode 100644
index 0000000000..70ca3943cb
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_subnet/output
@@ -0,0 +1,27 @@
+All:
+0 --> zero
+2 --> two
+4 --> four
+1 --> one
+3 --> three
+192.168.3.0/24 --> three
+192.168.0.0/16 --> zero
+192.168.4.0/24 --> four
+192.168.1.0/24 --> one
+192.168.2.0/24 --> two
+Time: 0 secs
+
+Accessed table nums: two; three
+Accessed table nets: two; three, zero
+Time: 7.0 secs 518.0 msecs 828.0 usecs
+
+Expired Num: 0 --> zero at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 4 --> four at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 1 --> one at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Num: 2 --> two at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Num: 3 --> three at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.3.0/24 --> three at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.0.0/16 --> zero at 15.0 secs 150.0 msecs 681.0 usecs
+Expired Subnet: 192.168.2.0/24 --> two at 15.0 secs 150.0 msecs 681.0 usecs
diff --git a/testing/btest/language/expire_subnet.test b/testing/btest/language/expire_subnet.test
new file mode 100644
index 0000000000..12d5e56b5a
--- /dev/null
+++ b/testing/btest/language/expire_subnet.test
@@ -0,0 +1,96 @@
+# @TEST-EXEC: bro -C -r $TRACES/var-services-std-ports.trace %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+redef table_expire_interval = 1sec;
+
+global start_time: time;
+
+function time_past(): interval
+	{
+	return network_time() - start_time;
+	}
+
+function expire_nums(tbl: table[count] of string, idx: count): interval
+	{
+	print fmt("Expired Num: %s --> %s at %s", idx, tbl[idx], time_past());
+	return 0sec;
+	}
+
+function expire_nets(tbl: table[subnet] of string, idx: subnet): interval
+	{
+	print fmt("Expired Subnet: %s --> %s at %s", idx, tbl[idx], time_past());
+	return 0sec;
+	}
+
+global nums: table[count] of string &read_expire=8sec &expire_func=expire_nums;
+global nets: table[subnet] of string &read_expire=8sec &expire_func=expire_nets;
+global step: count;
+
+### Test ###
+
+function execute_test()
+	{
+	local num_a = nums[2];
+	local num_b = nums[3];
+
+	local net_a = nets[192.168.2.0/24];
+	#local net_b = nets[192.168.3.0/24];
+	local nets_b = "";
+	local nets_b_tbl: table[subnet] of string;
+
+	nets_b_tbl = filter_subnet_table(192.168.3.0/24, nets);
+	for ( idx in nets_b_tbl )
+		nets_b += cat(", ", nets_b_tbl[idx]);
+	nets_b = nets_b[2:];
+	
+	# writing resets expire as expected
+	#nets[192.168.2.0/24] = "accessed";
+	#nets[192.168.3.0/24] = "accessed";
+
+	print fmt("Accessed table nums: %s; %s", num_a, num_b);
+	print fmt("Accessed table nets: %s; %s", net_a, nets_b);
+	print fmt("Time: %s", time_past());
+	print "";
+	}
+
+### Events ###
+
+event bro_init()
+	{
+	step = 0;
+
+	nums[0] = "zero";
+	nums[1] = "one";
+	nums[2] = "two";
+	nums[3] = "three";
+	nums[4] = "four";
+
+	nets[192.168.0.0/16] = "zero";
+	nets[192.168.1.0/24] = "one";
+	nets[192.168.2.0/24] = "two";
+	nets[192.168.3.0/24] = "three";
+	nets[192.168.4.0/24] = "four";
+	}
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	if ( step == 0 )
+		{
+		++step;
+		start_time = network_time();
+
+		print "All:";
+		for ( num in nums )
+			print fmt("%s --> %s", num, nums[num]);
+		for ( net in nets )
+			print fmt("%s --> %s", net, nets[net]);
+		print fmt("Time: %s", time_past());
+		print "";
+		}
+
+	if ( (time_past() > 7sec) && (step == 1) )
+		{
+		++step;
+		execute_test();
+		}
+	}

From d5034ccc19f8c5e4b48c0d8c2c03eb64caf662fd Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Thu, 17 Mar 2016 19:56:25 +0100
Subject: [PATCH 04/12] Fixed &read_expire for subnet-indexed tables

---
 src/Val.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/Val.cc b/src/Val.cc
index 35233e9056..ce15cb9179 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1787,7 +1787,18 @@ Val* TableVal::Lookup(Val* index, bool use_default_val)
 		{
 		TableEntryVal* v = (TableEntryVal*) subnets->Lookup(index);
 		if ( v )
+			{
+			if ( attrs &&
+				     ! (attrs->FindAttr(ATTR_EXPIRE_WRITE) ||
+					attrs->FindAttr(ATTR_EXPIRE_CREATE)) )
+					{
+					v->SetExpireAccess(network_time);
+					if ( LoggingAccess() && expire_time )
+						ReadOperation(index, v);
+					}
+
 			return v->Value() ? v->Value() : this;
+			}
 
 		if ( ! use_default_val )
 			return 0;

From 33f9eca0c8bc0a5850a5d1d3fc677031a35ab058 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 18 Mar 2016 11:23:44 -0700
Subject: [PATCH 05/12] Update TLS constants and extensions from IANA.

---
 scripts/base/protocols/ssl/consts.bro | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 7a95d63cc6..35cfc7681d 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -109,7 +109,7 @@ export {
 		[7] = "client_authz",
 		[8] = "server_authz",
 		[9] = "cert_type",
-		[10] = "elliptic_curves",
+		[10] = "elliptic_curves", # new name: supported_groups - draft-ietf-tls-negotiated-ff-dhe
 		[11] = "ec_point_formats",
 		[12] = "srp",
 		[13] = "signature_algorithms",
@@ -120,9 +120,10 @@ export {
 		[18] = "signed_certificate_timestamp",
 		[19] = "client_certificate_type",
 		[20] = "server_certificate_type",
-		[21] = "padding", # temporary till 2016-03-12
+		[21] = "padding",
 		[22] = "encrypt_then_mac",
 		[23] = "extended_master_secret",
+		[24] = "token_binding", # temporary till 2017-02-04 - draft-ietf-tokbind-negotiation
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
@@ -165,7 +166,10 @@ export {
 		[26] = "brainpoolP256r1",
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
-		# draft-ietf-tls-negotiated-ff-dhe-05
+		# Temporary till 2017-03-01 - draft-ietf-tls-rfc4492bis
+		[29] = "ecdh_x25519",
+		[30] = "ecdh_x448",
+		# draft-ietf-tls-negotiated-ff-dhe-10
 		[256] = "ffdhe2048",
 		[257] = "ffdhe3072",
 		[258] = "ffdhe4096",

From 8de08047122ea105eed77815a479ee5bb866bd51 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 18 Mar 2016 12:33:59 -0700
Subject: [PATCH 06/12] Update NEWS

---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index b2310b0f62..86c3b1891a 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,9 @@ New Functionality
   - matching_subnets(subnet, table) returns all subnets of the set or table
     that contain the given subnet.
 
+  - filter_subnet_table(subnet, table) works like check_subnet, but returns
+    a table containing all matching entries.
+
 - Several built-in functions for handling IP addresses and subnets were added:
 
   - is_v4_subnet(subnet) checks whether a subnet specification is IPv4.

From cfffb6e634eb40eb965461a7427a9f672fe32cc7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 18 Mar 2016 12:34:26 -0700
Subject: [PATCH 07/12] Check that there is only one of read, write,
 create_expire

---
 src/Attr.cc                                   | 21 +++++++++++++++++++
 .../language.expire_multiple-2/output         |  1 +
 .../language.expire_multiple-3/output         |  1 +
 .../Baseline/language.expire_multiple/output  |  1 +
 testing/btest/language/expire_multiple.test   | 12 +++++++++++
 5 files changed, 36 insertions(+)
 create mode 100644 testing/btest/Baseline/language.expire_multiple-2/output
 create mode 100644 testing/btest/Baseline/language.expire_multiple-3/output
 create mode 100644 testing/btest/Baseline/language.expire_multiple/output
 create mode 100644 testing/btest/language/expire_multiple.test

diff --git a/src/Attr.cc b/src/Attr.cc
index 4bfbcf2ad7..14b00bd0d7 100644
--- a/src/Attr.cc
+++ b/src/Attr.cc
@@ -375,12 +375,33 @@ void Attributes::CheckAttr(Attr* a)
 	case ATTR_EXPIRE_READ:
 	case ATTR_EXPIRE_WRITE:
 	case ATTR_EXPIRE_CREATE:
+		{
 		if ( type->Tag() != TYPE_TABLE )
 			{
 			Error("expiration only applicable to tables");
 			break;
 			}
 
+		int num_expires = 0;
+		if ( attrs )
+			{
+			loop_over_list(*attrs, i)
+				{
+				Attr* a = (*attrs)[i];
+				if ( a->Tag() == ATTR_EXPIRE_READ ||
+				     a->Tag() == ATTR_EXPIRE_WRITE ||
+				     a->Tag() == ATTR_EXPIRE_CREATE )
+					num_expires++;
+				}
+			}
+
+		if ( num_expires > 1 )
+			{
+			Error("set/table can only have one of &read_expire, &write_expire, &create_expire");
+			break;
+			}
+		}
+
 #if 0
 		//### not easy to test this w/o knowing the ID.
 		if ( ! IsGlobal() )
diff --git a/testing/btest/Baseline/language.expire_multiple-2/output b/testing/btest/Baseline/language.expire_multiple-2/output
new file mode 100644
index 0000000000..ffcdb6ff80
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple-2/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple-2/expire_multiple.test, line 2: set/table can only have one of &read_expire, &write_expire, &create_expire (&write_expire=1.0 sec, &create_expire=3.0 secs)
diff --git a/testing/btest/Baseline/language.expire_multiple-3/output b/testing/btest/Baseline/language.expire_multiple-3/output
new file mode 100644
index 0000000000..1dc2e3e765
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple-3/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple-3/expire_multiple.test, line 2: set/table can only have one of &read_expire, &write_expire, &create_expire (&write_expire=1.0 sec, &read_expire=3.0 secs)
diff --git a/testing/btest/Baseline/language.expire_multiple/output b/testing/btest/Baseline/language.expire_multiple/output
new file mode 100644
index 0000000000..a616c84de7
--- /dev/null
+++ b/testing/btest/Baseline/language.expire_multiple/output
@@ -0,0 +1 @@
+error in /Users/johanna/bro/master/testing/btest/.tmp/language.expire_multiple/expire_multiple.test, line 4: set/table can only have one of &read_expire, &write_expire, &create_expire (&create_expire=1.0 sec, &read_expire=1.0 sec)
diff --git a/testing/btest/language/expire_multiple.test b/testing/btest/language/expire_multiple.test
new file mode 100644
index 0000000000..2293873e59
--- /dev/null
+++ b/testing/btest/language/expire_multiple.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: btest-diff output
+
+global s: set[string] &create_expire=1secs &read_expire=1secs;
+
+# @TEST-START-NEXT:
+
+global s: set[string] &write_expire=1secs &create_expire=3secs;
+
+# @TEST-START-NEXT:
+
+global s: set[string] &write_expire=1secs &read_expire=3secs;

From 0588f3510bc69b018b5d6289db3fef7a9a9adf6f Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 21 Mar 2016 11:59:41 -0700
Subject: [PATCH 08/12] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index fe35cde8f0..6684ab5109 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit fe35cde8f07ff7cf6decd2fb761cffc32e763d2d
+Subproject commit 6684ab5109f526fb535013760f17a4c8dff093ae

From 4e7e211ed0cc2a3e4085da4ca5b517d26b8025d2 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Mon, 21 Mar 2016 16:54:12 -0700
Subject: [PATCH 09/12] Adapt to recent change in CAF CMake script

Also deprecate --with-libcaf in favor of --with-caf, as already done in
Broker.
---
 configure | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index a7a6f3b059..8859a6fa9b 100755
--- a/configure
+++ b/configure
@@ -276,8 +276,12 @@ while [ $# -ne 0 ]; do
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
+        --with-caf=*)
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
+            ;;
         --with-libcaf=*)
-            append_cache_entry LIBCAF_ROOT_DIR      PATH   $optarg
+            echo "warning: --with-libcaf deprecated, use --with-caf instead"
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
             ;;
         --with-rocksdb=*)
             append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg

From 357d52fd7d8a66acacc51b7eeabd0b80aa078dc4 Mon Sep 17 00:00:00 2001
From: Matthias Vallentin <vallentin@icir.org>
Date: Mon, 21 Mar 2016 16:54:12 -0700
Subject: [PATCH 10/12] Adapt to recent change in CAF CMake script

Also deprecate --with-libcaf in favor of --with-caf, as already done in
Broker.
---
 configure                 | 6 +++++-
 src/broker/CMakeLists.txt | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/configure b/configure
index a7a6f3b059..8859a6fa9b 100755
--- a/configure
+++ b/configure
@@ -276,8 +276,12 @@ while [ $# -ne 0 ]; do
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
+        --with-caf=*)
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
+            ;;
         --with-libcaf=*)
-            append_cache_entry LIBCAF_ROOT_DIR      PATH   $optarg
+            echo "warning: --with-libcaf deprecated, use --with-caf instead"
+            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
             ;;
         --with-rocksdb=*)
             append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg
diff --git a/src/broker/CMakeLists.txt b/src/broker/CMakeLists.txt
index 7329bfd46e..988855cafb 100644
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -10,8 +10,8 @@ if ( ROCKSDB_INCLUDE_DIR )
     include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 
-include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_CORE})
-include_directories(BEFORE ${LIBCAF_INCLUDE_DIR_IO})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
 
 set(comm_SRCS
     Data.cc

From a9cb90b6f54b2cafd1127ab43f6b18e4038845dd Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 21 Mar 2016 21:08:42 -0700
Subject: [PATCH 11/12] Adding canonifier to test.

---
 testing/btest/language/expire_multiple.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/language/expire_multiple.test b/testing/btest/language/expire_multiple.test
index 2293873e59..1e4aaa0975 100644
--- a/testing/btest/language/expire_multiple.test
+++ b/testing/btest/language/expire_multiple.test
@@ -1,5 +1,5 @@
 # @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1
-# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
 
 global s: set[string] &create_expire=1secs &read_expire=1secs;
 

From 8650841bf553281bed7ea023354e83e8efea8970 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 24 Mar 2016 13:38:47 -0700
Subject: [PATCH 12/12] Only load openflow/netcontrol if compiled with broker.

---
 CHANGES                       | 6 ++++++
 VERSION                       | 2 +-
 scripts/base/init-default.bro | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index e90e85f125..a527dcbcc2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.4-424 | 2016-03-24 13:38:47 -0700
+
+  * Only load openflow/netcontrol if compiled with broker. (Johanna Amann)
+
+  * Adding canonifier to test. (Robin Sommer)
+
 2.4-422 | 2016-03-21 19:48:30 -0700
 
   * Adapt to recent change in CAF CMake script. (Matthias Vallentin)
diff --git a/VERSION b/VERSION
index 032d05a7ea..af797c6f72 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-422
+2.4-424
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 7fefe0111d..609ed7200c 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -37,8 +37,10 @@
 @load base/frameworks/reporter
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
+@ifdef ( BrokerComm::enable )
 @load base/frameworks/openflow
 @load base/frameworks/netcontrol
+@endif
 
 @load base/protocols/conn
 @load base/protocols/dhcp